CVE-2026-56767
HIGHMaxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Title source: cnaDescription
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
References (4)
Core 4
Core References
Technical Description technical-description
GitHub Issue
https://github.com/getmaxun/maxun/issues/1079
Patch patch
Patch Commit
https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers
Scores
CVSS v3
8.8
EPSS
0.0033
EPSS Percentile
25.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
getmaxun/maxun
< 0.0.42
getmaxun/maxun
0.0.42
Published
Jun 25, 2026
Tracked Since
Jun 26, 2026