Critical SSRF in Apache Answer 2.0.0 - CVE-2026-34031

Denial-of-service via crafted TIFF image upload in Apache Answer through 2.0.0 allows an authenticated user to crash the server process by triggering excessive memory allocation during image decoding. The vulnerability stems from improper handling of specially crafted TIFF files in the file upload feature, where no bounds are placed on memory consumed during the decode phase. No public exploit code or active exploitation has been identified at time of analysis; however, the low technical barrier to trigger the crash once authenticated elevates its operational risk for community and enterprise deployments.

Unauthorized information disclosure in Apache Answer through 2.0.0 allows authenticated users to bypass access restrictions on the 'unlisted question' feature by querying direct API endpoints. Rather than enforcing the same visibility controls applied at the UI layer, the underlying API routes expose unlisted questions along with their associated answers, comments, and full revision history to any authenticated user. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the straightforward nature of the bypass - direct API calls - lowers the practical bar for exploitation by any platform user.

Unsanitized rendering of AI-generated response content in Apache Answer through 2.0.0 enables cross-site scripting (XSS) execution in the browsers of any user viewing affected AI-generated answers. The vulnerability (CWE-87, Improper Neutralization of Alternate XSS Syntax) arises because the AI answer rendering pipeline passes output directly to the browser DOM without stripping or encoding malicious script constructs. No public exploit code has been identified at time of analysis, and CISA KEV listing has not been confirmed, but the critical severity designation and vendor-confirmed patch at 2.0.1 indicate this is a high-priority remediation target for all deployments using the AI answer feature.

Apache Answer's Timeline API endpoints through version 2.0.0 fail to enforce authorization, exposing deleted, private, and unapproved content - along with full revision histories - to any authenticated regular user. The vulnerability is an information disclosure flaw affecting all Apache Answer deployments (community forums, help centers, knowledge platforms) running 2.0.0 or earlier. No public exploit has been identified and no KEV listing exists; however, in community deployments where user accounts are freely self-registered, the authentication prerequisite provides limited real-world protection.

HTML content injection in Apache Answer's email notification system allows authenticated users to embed arbitrary HTML markup into notification emails delivered to other platform users. All versions through 2.0.0 are affected. Because no CVSS vector was published at time of analysis, authentication requirements are confirmed from the description rather than from a CVSS PR component - an attacker must have a valid platform account to submit the content that triggers the malicious notification. No public exploit code and no CISA KEV listing have been identified.