Skip to main content

Biloop CVE-2026-12686

| EUVDEUVD-2026-41860 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-06 INCIBE GHSA-67j5-pj6c-m82p
9.3
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable authenticated (PR:L) IDOR with low complexity; scope changed (S:C) since one tenant's session breaches another tenant's data, high C/I and low A.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 11:01 vuln.today

DescriptionCVE.org

An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.

AnalysisAI

Cross-tenant authorization bypass in Adiss Biloop allows an authenticated user to manipulate the company ID parameter in a backend POST request and access or modify data belonging to other companies (tenants) hosted in the same subdomain environment. The flaw exposes sensitive customer information including billing data and permits unauthorized modification of third-party records. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege authenticated account
Delivery
Intercept backend POST request
Exploit
Alter company ID parameter to target tenant
Execution
Server skips ownership check
Impact
Read/modify other companies' billing data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account on the Biloop platform (CVSS PR:L) and a deployment where multiple companies/tenants are hosted within the same shared subdomain environment - the exact multi-tenant configuration Biloop uses. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high priority for any organization running Biloop in a shared multi-tenant configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with a legitimate low-privilege Biloop account on the shared platform intercepts a normal backend POST request and changes the company ID parameter to a neighboring tenant's identifier. The server processes the request without verifying tenant ownership, returning another company's billing and customer data or applying attacker-controlled modifications to that tenant's records. …
Remediation Patch available per vendor advisory - apply the fix from Adiss/Biloop as coordinated through INCIBE-CERT (https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-authorisation-adisss-biloop); no exact fixed version string was provided in the source data, so confirm the target patched build directly with the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Adiss Biloop deployments and quantify number of affected customer tenants; implement network-layer access restrictions to backend POST endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy