Skip to main content

On24 Q A Chat CVE-2026-3321

| EUVDEUVD-2026-17084 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-30 INCIBE
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 13:45 euvd
EUVD-2026-17084
Analysis Generated
Mar 30, 2026 - 13:45 vuln.today
CVE Published
Mar 30, 2026 - 13:17 nvd
HIGH 8.7

DescriptionCVE.org

A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.

AnalysisAI

Unauthenticated attackers can bypass authorization controls in On24 Q&A Chat to enumerate event IDs and retrieve complete question-and-answer histories through the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint. This exposure leaks sensitive data including user identifiers, private URLs, messages, and internal references that should be restricted to authenticated users. The compromised information can facilitate reconnaissance for lateral movement, system exploitation, or unauthorized access to connected applications.

Technical ContextAI

The vulnerability exists in On24 Q&A Chat's API endpoint for retrieving survey answers. The endpoint relies on user-controlled parameters (EVENTID and TIMESTAMP) to access data without proper authorization checks, implementing a flawed access control mechanism classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The API fails to validate whether the requestor has legitimate access to the specified event before returning sensitive Q&A content. This design flaw allows enumeration of valid event identifiers through parameter manipulation, enabling systematic retrieval of all associated conversation data without authentication tokens or user validation.

RemediationAI

On24 should immediately implement proper authorization checks on the console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/ endpoint to verify that requestors are authenticated and have legitimate access to the requested event data before returning Q&A content. This requires authentication enforcement (rejecting unauthenticated requests) and session-based access control validation. Organizations running On24 Q&A Chat should contact On24 support immediately for patched versions and interim guidance. Until patches are available, network-level controls (IP allowlisting, WAF rules blocking unauthenticated access to /console-survey/api/v1/answer/* paths) can reduce exposure. Refer to INCIBE's advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-on24-qa-chat for official vendor guidance and patch status updates.

Share

CVE-2026-3321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy