CVE-2026-11369

HIGH

IDOR in Comment API Allows Cross-Process Comment Read and Write

Title source: cna

Description

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi

Scores

CVSS v4 7.1

EPSS 0.0021

EPSS Percentile 10.8%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

linqi GmbH/linqi < 1.4.8.5

Published Jun 05, 2026

Tracked Since Jun 05, 2026