CVE-2026-56767

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

Vulnerability Details

Published Date

June 25, 2026

Last Modified

June 25, 2026

CWE ID

CWE-862

Source

NVD

Vendor

getmaxun

Product

maxun

External References

https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf
https://github.com/getmaxun/maxun/issues/1079
https://github.com/getmaxun/maxun/pull/1088
https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers

CVE-2026-56767

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment