Skip to main content

Huly Platform CVE-2026-12213

| EUVDEUVD-2026-36687 LOW
Incorrect Privilege Assignment (CWE-266)
2026-06-15 cna@vuldb.com GHSA-r253-j6c8-4228
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable by any authenticated low-privilege user (PR:L), with no attack complexity or scope change, and only limited account-data confidentiality impact (C:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 04:31 vuln.today

DescriptionCVE.org

A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Improper authorization in Huly Platform up to version 0.7.0 allows authenticated low-privilege users to remotely invoke the getAccountInfo function in server/account/src/operations.ts and retrieve account information beyond their authorized scope. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), with impact confined to limited confidentiality disclosure - no integrity or availability impact is present. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no vendor patch is available as the vendor did not respond to coordinated disclosure.

Technical ContextAI

Huly Platform is an open-source collaborative project management platform developed by hcengineering. The vulnerable code path is the getAccountInfo function within server/account/src/operations.ts, which acts as the User Information Handler on the server-side account subsystem. CWE-266 (Incorrect Privilege Assignment) indicates the root cause: the function fails to enforce authorization boundaries, granting a lower-privileged caller access to account data scoped to higher-privilege roles. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the flaw is network-reachable, requires no special attack conditions, and is exploitable by any authenticated user without user interaction. No CPE strings were provided in the available data, so exact platform deployment configurations cannot be independently enumerated.

RemediationAI

No vendor-released patch has been identified at the time of analysis; the vendor did not respond to responsible disclosure. Upstream fix availability is not confirmed. Organizations running Huly Platform 0.7.0 or earlier should implement compensating controls: restrict network-level access to the account API endpoints (particularly those routing to the getAccountInfo handler) using reverse proxy authorization middleware or firewall rules, limiting reach to only trusted authenticated roles. If the platform supports role-based access control configuration, ensure low-privilege user roles are explicitly excluded from account-info query permissions. Monitor server-side logs for anomalous account lookup patterns that may indicate exploitation. Track VulDB advisory 370855 at https://vuldb.com/vuln/370855 for any future patch releases. Note that restricting endpoint access may impact legitimate account management workflows - assess trade-offs before applying.

Share

CVE-2026-12213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy