NL Portal CVE-2026-49464
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Any authenticated citizen (PR:L) reaches the network GraphQL mutation with no user interaction to read and overwrite another user's task data (C:H/I:H), with no availability impact (A:N).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 2 maven packages depend on nl.nl-portal:taak (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.5.0.
DescriptionGitHub Advisory
Impact
In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a task ID and a payload, but it never checked whether the task actually belonged to the user making the call.
An attacker who held a valid login (a normal burger OAuth token) and who knew or guessed another user's task ID could:
- Mark someone else's task as completed.
- Overwrite the data submitted with that task - the
verzonden_data- with arbitrary input of their choosing. - Receive the full task back in the GraphQL response, including the form data that the legitimate owner had already entered. This leaks personal data belonging to the original user.
Functionally this means a malicious authenticated user could submit and alter forms in any other user's name, while at the same time reading what that user had previously filled in. Both the integrity of submitted data and the confidentiality of form contents are affected.
The vulnerable code was introduced together with the Taak V2 implementation (commit bb1c1ecf, 2024-06-04) and first shipped in the 1.5.x release line. Earlier 1.x releases did not contain this resolver.
Patches
Upgrade to 3.0.1 or later.
Fix commit: 8e699add - "Add auth check for task submission".
Workarounds
Until the upgrade is applied, block the submitTaakV2 GraphQL mutation at the API gateway, or restrict the /graphql endpoint to trusted networks.
Technical details
The resolver nl.nlportal.zgw.taak.service.TaakService.submitTaakV2(id, submission, authentication) fetched the task object by UUID and immediately transitioned it to the AFGEROND state, writing record.data.portaalformulier.verzondenData from caller-supplied input. No check verified that the task's identificatie matched the authenticated burger.
The fix adds a call to a new isAuthorizedForTaak(authentication, objectsApiTask) before the status change. The check compares identificatie.type and identificatie.value against the authenticated principal and validates the task's eigenaar for bedrijf machtigingen.
Credits
Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.
AnalysisAI
Insecure Direct Object Reference in NL Portal's Taak V2 module (nl.nl-portal:taak) versions 1.5.0 through 3.0.0 lets any authenticated portal user holding a valid 'burger' OAuth token complete and tamper with another user's task by supplying its task ID. Because the submitTaakV2 GraphQL mutation never verified task ownership, an attacker can overwrite another user's submitted form data (verzondenData) and read that user's previously entered personal data returned in the GraphQL response, breaking both integrity and confidentiality. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated citizen session (a normal 'burger' OAuth token, PR:L) on a deployment running nl.nl-portal:taak version 1.5.0 through 3.0.0 with the Taak V2 submitTaakV2 GraphQL mutation exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1 High) is internally consistent with the description: a network-reachable GraphQL endpoint, low complexity, low privilege (any valid citizen login), no user interaction, and high confidentiality and integrity impact with no availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A citizen registers a normal account on a municipality's NL Portal instance and obtains a valid burger OAuth token, then calls the submitTaakV2 GraphQL mutation with another citizen's task UUID and an arbitrary payload. The server completes the victim's task, overwrites its verzondenData with the attacker's input, and returns the full task including the victim's previously entered form data, letting the attacker both falsify submissions in the victim's name and read their personal information. … |
| Remediation | Vendor-released patch: 3.0.1 - upgrade the nl.nl-portal:taak dependency to 3.0.1 or later, which adds the isAuthorizedForTaak(authentication, objectsApiTask) ownership check (fix commit 8e699add) validating identificatie.type and identificatie.value against the authenticated principal and the task eigenaar for bedrijf machtigingen. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all affected Taak V2 deployments and assess the volume and sensitivity of stored task data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6h3c-r723-7fx3