CVE-2026-59262

high

Description

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

References

https://www.vulncheck.com/advisories/affine-unauthorized-document-edit-history-access-via-graphql-histories-field

https://github.com/toeverything/AFFiNE/issues/15179

https://github.com/toeverything/AFFiNE/commit/1f0bcd01a37a522393fc1b288395e3a72a79ccad

https://github.com/toeverything/AFFiNE

Details

Source: Mitre, NVD

Published: 2026-07-08

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 7.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High