Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
References
Configurations
No configuration.
History
25 Jun 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-25 19:16
Updated : 2026-06-25 21:16
NVD link : CVE-2026-56767
Mitre link : CVE-2026-56767
CVE.ORG link : CVE-2026-56767
JSON object : View
Products Affected
No product.
CWE
CWE-862
Missing Authorization
