CVE-2026-59262

MEDIUM

AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

Title source: cna
STIX 2.1

Description

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

Scores

CVSS v3 6.5
EPSS 0.0024
EPSS Percentile 14.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
affine/monorepo < 0.26.3
affine/monorepo < 1f0bcd0
Published Jul 08, 2026
Tracked Since Jul 08, 2026