Skip to main content

Comet Backup CVE-2026-29200

| EUVDEUVD-2026-26893 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-04 hackerone
9.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 04, 2026 - 07:31 EUVD
Analysis Generated
May 04, 2026 - 07:30 vuln.today
CVSS changed
May 04, 2026 - 07:22 NVD
9.9 (CRITICAL)
Patch released
May 04, 2026 - 07:16 nvd
Patch available
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26893
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 05:42 nvd
CRITICAL 9.9

DescriptionCVE.org

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

AnalysisAI

Tenant administrators in Comet Backup 20.11.0 through 26.1.1 and 26.2.1 can impersonate any end-user account across different tenants on the same server through an insecure direct object reference (IDOR) in an API endpoint. The vulnerability enables complete cross-tenant authentication bypass in multi-tenant deployments, allowing unauthorized access to backup data, configurations, and operations of arbitrary users. With CVSS 9.9 (Critical) rating and network-accessible exploitation requiring no privileges, this represents an immediate risk to managed service providers and multi-tenant Comet Backup installations, though no active exploitation has been confirmed via CISA KEV at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), commonly called Insecure Direct Object Reference (IDOR). The affected API endpoint accepts user-controlled identifiers without proper authorization checks to verify the requesting tenant administrator has legitimate access to the referenced end-user account. In multi-tenant backup systems like Comet Backup (cpe:2.3:a:webpros:comet_backup), tenant isolation is critical - administrators should only access accounts within their own tenant boundary. This IDOR flaw breaks that isolation boundary by allowing tenant admins to manipulate API parameters (likely user IDs or account identifiers) to reference and assume the identity of users belonging to completely different tenants on the same server instance. The CVSS 4.0 vector shows network accessibility (AV:N), low complexity (AC:L), and critically, no privileges required (PR:N), suggesting the vulnerable endpoint may lack even basic tenant administrator authentication or the IDOR can be exploited post-authentication through parameter manipulation.

RemediationAI

Immediately upgrade all Comet Backup installations to the latest patched version as specified in the vendor advisory at https://support.cometbackup.com/hc/en-us/articles/40090945484823--CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup, which should detail the fixed release (likely 26.2.2 or 26.3.0 based on affected version patterns, though exact version not confirmed in provided data). If immediate patching is not feasible, implement emergency compensating controls: disable or firewall-restrict access to the vulnerable API endpoint if identified by vendor documentation, enforce strict network segmentation between tenant administration interfaces and backend services, enable comprehensive API request logging to detect suspicious cross-tenant access attempts, and consider temporarily disabling multi-tenant mode if business operations permit single-tenant deployment. These workarounds significantly impact usability for managed service providers and should be temporary only. Review all tenant administrator activity logs since November 2020 for indicators of exploitation such as API calls referencing user IDs outside expected tenant boundaries or unusual authentication patterns across tenant contexts.

Share

CVE-2026-29200 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy