CVE-2026-56767

Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers

CVSS 8.7 HIGHEPSS 0.3%CWE-862

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Produtos afetados

getmaxun · maxun

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf https://github.com/getmaxun/maxun/issues/1079 https://github.com/getmaxun/maxun/pull/1088 https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers