CVE-2026-40127

MEDIUM

Authorization Bypass Through User-Controlled Key in OutSystems Lifetime

Title source: cna

Description

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://cert.pl/en/posts/2026/05/CVE-2026-40126/

Product product

https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime

Scores

CVSS v4 5.3

EPSS 0.0032

EPSS Percentile 23.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

OutSystems/Lifetime < 11.28.2.3955

Published May 25, 2026

Tracked Since May 25, 2026