CVE-2026-56767

HIGH

Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers

Title source: cna
STIX 2.1

Description

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0033
EPSS Percentile 25.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (2)
getmaxun/maxun < 0.0.42
getmaxun/maxun 0.0.42
Published Jun 25, 2026
Tracked Since Jun 26, 2026