Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable by any authenticated low-privilege user (PR:L), with no attack complexity or scope change, and only limited account-data confidentiality impact (C:L).
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Improper authorization in Huly Platform up to version 0.7.0 allows authenticated low-privilege users to remotely invoke the getAccountInfo function in server/account/src/operations.ts and retrieve account information beyond their authorized scope. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), with impact confined to limited confidentiality disclosure - no integrity or availability impact is present. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no vendor patch is available as the vendor did not respond to coordinated disclosure.
Technical ContextAI
Huly Platform is an open-source collaborative project management platform developed by hcengineering. The vulnerable code path is the getAccountInfo function within server/account/src/operations.ts, which acts as the User Information Handler on the server-side account subsystem. CWE-266 (Incorrect Privilege Assignment) indicates the root cause: the function fails to enforce authorization boundaries, granting a lower-privileged caller access to account data scoped to higher-privilege roles. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the flaw is network-reachable, requires no special attack conditions, and is exploitable by any authenticated user without user interaction. No CPE strings were provided in the available data, so exact platform deployment configurations cannot be independently enumerated.
RemediationAI
No vendor-released patch has been identified at the time of analysis; the vendor did not respond to responsible disclosure. Upstream fix availability is not confirmed. Organizations running Huly Platform 0.7.0 or earlier should implement compensating controls: restrict network-level access to the account API endpoints (particularly those routing to the getAccountInfo handler) using reverse proxy authorization middleware or firewall rules, limiting reach to only trusted authenticated roles. If the platform supports role-based access control configuration, ensure low-privilege user roles are explicitly excluded from account-info query permissions. Monitor server-side logs for anomalous account lookup patterns that may indicate exploitation. Track VulDB advisory 370855 at https://vuldb.com/vuln/370855 for any future patch releases. Note that restricting endpoint access may impact legitimate account management workflows - assess trade-offs before applying.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36687
GHSA-r253-j6c8-4228