Skip to main content

Huly Platform CVE-2026-12212

| EUVDEUVD-2026-36686 LOW
Incorrect Privilege Assignment (CWE-266)
2026-06-15 cna@vuldb.com GHSA-gw69-97jp-c5gg
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible RPC requires low-privileged authentication; only mailbox secret confidentiality is impacted with no integrity, availability, or scope-change effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 04:31 vuln.today

DescriptionCVE.org

A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper access controls in Huly Platform's RPC interface allow an authenticated remote attacker with low privileges to invoke the getMailboxSecret function in server/account/src/operations.ts and retrieve mailbox secrets they are not authorized to access. Versions up to and including 0.7.0 of hcengineering's Huly Platform are confirmed affected. A public proof-of-concept exploit has been disclosed (reflected in the CVSS 4.0 E:P modifier); no vendor patch exists as the vendor did not respond to responsible disclosure, leaving all users of affected versions exposed with no official remediation path.

Technical ContextAI

Huly Platform is an open-source collaborative workspace tool developed by hcengineering. The vulnerability exists in the getMailboxSecret function within server/account/src/operations.ts, which is exposed over the platform's RPC (Remote Procedure Call) interface - a network-accessible API layer used for server-side account operations. CWE-266 (Incorrect Privilege Assignment) classifies the root cause: the function fails to enforce adequate authorization checks before returning the mailbox secret, meaning a caller with only low-level platform privileges can retrieve secrets scoped to accounts or mailboxes they do not own. Mailbox secrets in this context are likely credentials or tokens used for internal mail integration within the Huly workspace, making their unauthorized disclosure a credential exposure risk. No CPE string was provided in available intelligence sources.

RemediationAI

No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure, and no fixed version is confirmed. Organizations running Huly Platform up to 0.7.0 should implement the following specific compensating controls: first, restrict network access to the RPC interface at the firewall or reverse proxy layer, limiting reachability to trusted internal networks only - note this may impact legitimate remote users who rely on RPC-based features. Second, if the platform supports API-level authorization middleware, enforce role-based access control on the getMailboxSecret RPC method to reject callers without explicit administrative privilege - this requires application-level customization and will not survive upstream updates without re-application. Third, enable audit logging for all invocations of account-related RPC methods and alert on anomalous cross-account access patterns. Monitor https://vuldb.com/vuln/370854 and the hcengineering GitHub repository for any community-supplied patches or official vendor response.

Share

CVE-2026-12212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy