Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated (PR:L) IDOR with low complexity; scope changed (S:C) since one tenant's session breaches another tenant's data, high C/I and low A.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
AnalysisAI
Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated account on the Biloop platform (CVSS PR:L) and a deployment where multiple companies/tenants are hosted within the same shared subdomain environment - the exact multi-tenant configuration Biloop uses. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high priority for any organization running Biloop in a shared multi-tenant configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with a legitimate low-privilege Biloop account on the shared platform intercepts a normal backend POST request and changes the company ID parameter to a neighboring tenant's identifier. The server processes the request without verifying tenant ownership, returning another company's billing and customer data or applying attacker-controlled modifications to that tenant's records. … |
| Remediation | Patch available per vendor advisory - apply the fix from Adiss/Biloop as coordinated through INCIBE-CERT (https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-authorisation-adisss-biloop); no exact fixed version string was provided in the source data, so confirm the target patched build directly with the vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Adiss Biloop deployments and quantify number of affected customer tenants; implement network-layer access restrictions to backend POST endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41860
GHSA-67j5-pj6c-m82p