Skip to main content

Id Server CVE-2026-3999

| EUVDEUVD-2026-11772 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-13 ENISA
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
9.0.0
EUVD ID Assigned
Mar 13, 2026 - 09:00 euvd
EUVD-2026-11772
Analysis Generated
Mar 13, 2026 - 09:00 vuln.today
CVE Published
Mar 13, 2026 - 08:38 nvd
HIGH 8.8

DescriptionCVE.org

A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations.

AnalysisAI

A broken access control vulnerability in JetBrains Datalore allows authenticated users to escalate privileges horizontally, accessing resources of other users at the same permission level. The vulnerability affects Datalore versions prior to 2026.1 but only impacts specific configurations. With a CVSS score of 8.8 and high EPSS score of 0.36942, this represents a significant risk, though no active exploitation or proof-of-concept code has been reported publicly.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to properly validate user permissions when accessing resources. JetBrains Datalore, identified through CPE cpe:2.3:a:jetbrains:datalore:*:*:*:*:*:*:*:* with versions before 2026.1, is a collaborative data science platform that allows teams to work on notebooks and data analysis. The broken access control allows an authenticated user to manipulate identifiers or keys to access data belonging to other users at the same privilege level, bypassing intended authorization boundaries.

RemediationAI

Upgrade JetBrains Datalore to version 2026.1 or later, which contains the security fix for this vulnerability. JetBrains provides detailed upgrade instructions in their security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. For environments where immediate patching is not feasible, implement additional access controls at the network level, monitor for unusual cross-user access patterns, and review your Datalore configuration to determine if it matches the vulnerable configurations described by JetBrains. Consider implementing additional authentication layers or network segmentation to limit potential horizontal movement.

Share

CVE-2026-3999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy