Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
AnalysisAI
Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.
Technical ContextAI
linqi is a low-code business process management (BPM) platform marketed by linqi GmbH and identified by the CPE cpe:2.3:a:linqi_gmbh:linqi. The vulnerable component is the Comment API exposed via GET and POST on /api/Comment, which accepts a relatedObjectId GUID identifying the process or business object the comment is attached to. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause precisely: the server trusts the client-supplied object identifier and returns or stores data without checking whether the authenticated principal is entitled to that specific object. In a multi-tenant BPM context where business units share an instance, this collapses the boundary between tenants for comment data.
RemediationAI
Upgrade linqi to a version newer than 1.4.8.5 per the vendor advisory at https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi; the advisory should be checked for the specific patched release number, as no exact fix version was provided in the available intelligence. Until the upgrade is deployed, compensating controls include restricting network access to /api/Comment via an upstream reverse proxy or WAF rule that requires additional contextual headers, enabling verbose audit logging on Comment API calls and alerting on requests whose relatedObjectId GUID does not match objects the user has recently interacted with, and reducing the number of standing low-privileged accounts in the tenant - each of these reduces exposure but does not eliminate the underlying IDOR, and WAF-level GUID-to-user mapping is generally impractical for a stateful BPM workload, so patching remains the only durable fix.
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
Cryptographic weaknesses in the linqi application (versions ≤1.4.8.5) allow local attackers with low-level privileges to
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated high severity (CVSS 7.5), this vulnerability is remote
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the Val
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.9), this vulnerability is no a
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.5), this vulnerability is remo
Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct interna
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 4.8), this vulnerability is low
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34827
GHSA-8rq4-278f-v3vj