Skip to main content

linqi CVE-2026-11369

| EUVDEUVD-2026-34827 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 linqi GHSA-8rq4-278f-v3vj
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 16:15 vuln.today
CVSS changed
Jun 05, 2026 - 14:22 NVD
7.1 (HIGH)
CVE Published
Jun 05, 2026 - 12:37 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

AnalysisAI

Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.

Technical ContextAI

linqi is a low-code business process management (BPM) platform marketed by linqi GmbH and identified by the CPE cpe:2.3:a:linqi_gmbh:linqi. The vulnerable component is the Comment API exposed via GET and POST on /api/Comment, which accepts a relatedObjectId GUID identifying the process or business object the comment is attached to. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause precisely: the server trusts the client-supplied object identifier and returns or stores data without checking whether the authenticated principal is entitled to that specific object. In a multi-tenant BPM context where business units share an instance, this collapses the boundary between tenants for comment data.

RemediationAI

Upgrade linqi to a version newer than 1.4.8.5 per the vendor advisory at https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi; the advisory should be checked for the specific patched release number, as no exact fix version was provided in the available intelligence. Until the upgrade is deployed, compensating controls include restricting network access to /api/Comment via an upstream reverse proxy or WAF rule that requires additional contextual headers, enabling verbose audit logging on Comment API calls and alerting on requests whose relatedObjectId GUID does not match objects the user has recently interacted with, and reducing the number of standing low-privileged accounts in the tenant - each of these reduces exposure but does not eliminate the underlying IDOR, and WAF-level GUID-to-user mapping is generally impractical for a stateful BPM workload, so patching remains the only durable fix.

More in Linqi

View all

Share

CVE-2026-11369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy