Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
AnalysisAI
Unauthenticated attackers can bypass authorization controls in On24 Q&A Chat to enumerate event IDs and retrieve complete question-and-answer histories through the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint. This exposure leaks sensitive data including user identifiers, private URLs, messages, and internal references that should be restricted to authenticated users. The compromised information can facilitate reconnaissance for lateral movement, system exploitation, or unauthorized access to connected applications.
Technical ContextAI
The vulnerability exists in On24 Q&A Chat's API endpoint for retrieving survey answers. The endpoint relies on user-controlled parameters (EVENTID and TIMESTAMP) to access data without proper authorization checks, implementing a flawed access control mechanism classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The API fails to validate whether the requestor has legitimate access to the specified event before returning sensitive Q&A content. This design flaw allows enumeration of valid event identifiers through parameter manipulation, enabling systematic retrieval of all associated conversation data without authentication tokens or user validation.
RemediationAI
On24 should immediately implement proper authorization checks on the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint to verify that requestors are authenticated and have legitimate access to the requested event data before returning Q&A content. This requires authentication enforcement (rejecting unauthenticated requests) and session-based access control validation. Organizations running On24 Q&A Chat should contact On24 support immediately for patched versions and interim guidance. Until patches are available, network-level controls (IP allowlisting, WAF rules blocking unauthenticated access to /console-survey/api/v1/answer/* paths) can reduce exposure. Refer to INCIBE's advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-on24-qa-chat for official vendor guidance and patch status updates.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17084