CVE Catalog

CVE-2026-56767

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

Maxun before version 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens.

Risk Assessment

Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

Recommendation

It is recommended to upgrade to Maxun version 0.0.42 or later to mitigate this vulnerability and implement additional access controls in the API.

Original NVD description (English source)

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS