Detections
Analytics

CVE-2026-56767

high

Description

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

References

https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers

https://github.com/getmaxun/maxun/pull/1088

https://github.com/getmaxun/maxun/issues/1079

https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf

Details

Source: Mitre, NVD

Published: 2026-06-25

Updated: 2026-06-25

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.0033