Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible RPC requires low-privileged authentication; only mailbox secret confidentiality is impacted with no integrity, availability, or scope-change effect.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper access controls in Huly Platform's RPC interface allow an authenticated remote attacker with low privileges to invoke the getMailboxSecret function in server/account/src/operations.ts and retrieve mailbox secrets they are not authorized to access. Versions up to and including 0.7.0 of hcengineering's Huly Platform are confirmed affected. A public proof-of-concept exploit has been disclosed (reflected in the CVSS 4.0 E:P modifier); no vendor patch exists as the vendor did not respond to responsible disclosure, leaving all users of affected versions exposed with no official remediation path.
Technical ContextAI
Huly Platform is an open-source collaborative workspace tool developed by hcengineering. The vulnerability exists in the getMailboxSecret function within server/account/src/operations.ts, which is exposed over the platform's RPC (Remote Procedure Call) interface - a network-accessible API layer used for server-side account operations. CWE-266 (Incorrect Privilege Assignment) classifies the root cause: the function fails to enforce adequate authorization checks before returning the mailbox secret, meaning a caller with only low-level platform privileges can retrieve secrets scoped to accounts or mailboxes they do not own. Mailbox secrets in this context are likely credentials or tokens used for internal mail integration within the Huly workspace, making their unauthorized disclosure a credential exposure risk. No CPE string was provided in available intelligence sources.
RemediationAI
No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure, and no fixed version is confirmed. Organizations running Huly Platform up to 0.7.0 should implement the following specific compensating controls: first, restrict network access to the RPC interface at the firewall or reverse proxy layer, limiting reachability to trusted internal networks only - note this may impact legitimate remote users who rely on RPC-based features. Second, if the platform supports API-level authorization middleware, enforce role-based access control on the getMailboxSecret RPC method to reject callers without explicit administrative privilege - this requires application-level customization and will not survive upstream updates without re-application. Third, enable audit logging for all invocations of account-related RPC methods and alert on anomalous cross-account access patterns. Monitor https://vuldb.com/vuln/370854 and the hcengineering GitHub repository for any community-supplied patches or official vendor response.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36686
GHSA-gw69-97jp-c5gg