Skip to main content

NL Portal CVE-2026-49464

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-08 https://github.com/nl-portal/nl-portal-backend-libraries GHSA-6h3c-r723-7fx3
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Any authenticated citizen (PR:L) reaches the network GraphQL mutation with no user interaction to read and overwrite another user's task data (C:H/I:H), with no availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 21:53 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on nl.nl-portal:taak (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.5.0.

DescriptionGitHub Advisory

Impact

In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a task ID and a payload, but it never checked whether the task actually belonged to the user making the call.

An attacker who held a valid login (a normal burger OAuth token) and who knew or guessed another user's task ID could:

  • Mark someone else's task as completed.
  • Overwrite the data submitted with that task - the verzonden_data - with arbitrary input of their choosing.
  • Receive the full task back in the GraphQL response, including the form data that the legitimate owner had already entered. This leaks personal data belonging to the original user.

Functionally this means a malicious authenticated user could submit and alter forms in any other user's name, while at the same time reading what that user had previously filled in. Both the integrity of submitted data and the confidentiality of form contents are affected.

The vulnerable code was introduced together with the Taak V2 implementation (commit bb1c1ecf, 2024-06-04) and first shipped in the 1.5.x release line. Earlier 1.x releases did not contain this resolver.

Patches

Upgrade to 3.0.1 or later.

Fix commit: 8e699add - "Add auth check for task submission".

Workarounds

Until the upgrade is applied, block the submitTaakV2 GraphQL mutation at the API gateway, or restrict the /graphql endpoint to trusted networks.

Technical details

The resolver nl.nlportal.zgw.taak.service.TaakService.submitTaakV2(id, submission, authentication) fetched the task object by UUID and immediately transitioned it to the AFGEROND state, writing record.data.portaalformulier.verzondenData from caller-supplied input. No check verified that the task's identificatie matched the authenticated burger.

The fix adds a call to a new isAuthorizedForTaak(authentication, objectsApiTask) before the status change. The check compares identificatie.type and identificatie.value against the authenticated principal and validates the task's eigenaar for bedrijf machtigingen.

Credits

Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.

AnalysisAI

Insecure Direct Object Reference in NL Portal's Taak V2 module (nl.nl-portal:taak) versions 1.5.0 through 3.0.0 lets any authenticated portal user holding a valid 'burger' OAuth token complete and tamper with another user's task by supplying its task ID. Because the submitTaakV2 GraphQL mutation never verified task ownership, an attacker can overwrite another user's submitted form data (verzondenData) and read that user's previously entered personal data returned in the GraphQL response, breaking both integrity and confidentiality. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid burger OAuth token
Delivery
Learn or guess victim task UUID
Exploit
Call submitTaakV2 with victim task ID
Execution
Server skips ownership check
Persist
Overwrite verzondenData and mark AFGEROND
Impact
Read victim form data from response

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated citizen session (a normal 'burger' OAuth token, PR:L) on a deployment running nl.nl-portal:taak version 1.5.0 through 3.0.0 with the Taak V2 submitTaakV2 GraphQL mutation exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1 High) is internally consistent with the description: a network-reachable GraphQL endpoint, low complexity, low privilege (any valid citizen login), no user interaction, and high confidentiality and integrity impact with no availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A citizen registers a normal account on a municipality's NL Portal instance and obtains a valid burger OAuth token, then calls the submitTaakV2 GraphQL mutation with another citizen's task UUID and an arbitrary payload. The server completes the victim's task, overwrites its verzondenData with the attacker's input, and returns the full task including the victim's previously entered form data, letting the attacker both falsify submissions in the victim's name and read their personal information. …
Remediation Vendor-released patch: 3.0.1 - upgrade the nl.nl-portal:taak dependency to 3.0.1 or later, which adds the isAuthorizedForTaak(authentication, objectsApiTask) ownership check (fix commit 8e699add) validating identificatie.type and identificatie.value against the authenticated principal and the task eigenaar for bedrijf machtigingen. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected Taak V2 deployments and assess the volume and sensitivity of stored task data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy