Lucene search
K

50 matches found

CVE
CVE
added 4 days ago13 views

CVE-2025-13475

CVE-2025-13475 describes cross-tenant data exposure in multi-tenant deployments due to mis-isolation of consent scopes in the application consent management mechanism. A user’s consent for a SaaS application in one tenant could be incorrectly applied to similarly named applications in other tenan...

3.5CVSS5.9AI score0.00146EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added last week4 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added last week5 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added last week6 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References4
NVD
NVD
added last week8 views

CVE-2026-5142

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS0.0027EPSS
Exploits0References6
CVE
CVE
added last week11 views

CVE-2026-5142

CVE-2026-5142 (Foreman) : A flaw allows authenticated users with the low-privilege permission view_keypairs to bypass taxonomy scoping and download private SSH keys from other organizations by querying key pair IDs. This results in cross-tenant data exposure in multi-tenant deployments. The initi...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References6
EUVD
EUVD
added last week8 views

EUVD-2026-41002

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added last week3 views

CVE-2026-5142

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added last week7 views

CVE-2026-5142 Foreman: foreman: cross-tenant private ssh key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.0027EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/22 9:4 p.m.6 views

EUVD-2026-38373

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channelself endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary...

8.7CVSS5.9AI score0.00379EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.15 views

PT-2026-50602

Name of the Vulnerable Software and Affected Versions Avo affected versions not specified Description A missing authorization flaw in the association attach workflow allows authenticated low-privileged users to bypass access controls. While the user interface and the 'GET...

9.6CVSS5.9AI score
Exploits0References5
CVE
CVE
added 2026/06/12 9:3 p.m.23 views

CVE-2026-47124

CVE-2026-47124 (Nezha Monitoring) : In versions 1.4.0 through before 2.0.9, any authenticated non-admin user can connect to the server-status WebSocket and receive telemetry for all servers, including those owned by other users. The WebSocket stream bypasses per-server HasPermission checks, retur...

6.5CVSS5.2AI score0.0027EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 9:19 p.m.37 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS0.00172EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.19 views

PT-2026-44998

Name of the Vulnerable Software and Affected Versions ExtremeCloud IQ affected versions not specified Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued AP...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/28 4:51 p.m.32 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

7.7CVSS0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 4:50 p.m.28 views

CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/19 9:28 a.m.20 views

CVE-2026-31388

CVE-2026-31388 affects Apache OFBiz in multi-tenant deployments and is due to Improper Access Control, enabling cross-tenant data exposure via the Program Export feature. Affected versions are before 24.09.06. The advisory recommends upgrading to OFBiz 24.09.06 or later to fix the issue. No explo...

5.3CVSS5.8AI score0.00416EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/19 9:28 a.m.8 views

CVE-2026-31388 Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

5.8AI score0.00416EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/13 7:24 p.m.9 views

CVE-2026-40252

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

8.1CVSS6AI score0.00342EPSS
Exploits0References1
NVD
NVD
added 2026/04/10 9:16 p.m.4 views

CVE-2026-40252

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

8.1CVSS0.00342EPSS
Exploits0References2
Rows per page
Query Builder