CVE-2026-59262
MEDIUMAFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field
Title source: cnaDescription
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
References (4)
Core 4
Core References
Patch patch
Patch Commit
https://github.com/toeverything/AFFiNE/commit/1f0bcd01a37a522393fc1b288395e3a72a79ccad
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/affine-unauthorized-document-edit-history-access-via-graphql-histories-field
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
14.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
affine/monorepo
< 0.26.3
affine/monorepo
< 1f0bcd0
Published
Jul 08, 2026
Tracked Since
Jul 08, 2026