CVE-2026-35023

MEDIUM

Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php

Title source: cna

Description

Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.

References (2)

Scores

CVSS v3 4.3
EPSS 0.0003
EPSS Percentile 8.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-639
Status published
Products (1)
Cloud Solutions SAS/Wimi Teamwork < 8.2.0
Published Apr 08, 2026
Tracked Since Apr 08, 2026