Skip to main content

NL Portal documenten-api CVE-2026-54683

MEDIUM
Improper Authorization (CWE-285)
2026-06-18 https://github.com/nl-portal/nl-portal-backend-libraries GHSA-jr45-52cw-69h5
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible endpoints require only a valid user session (PR:L); UUID guessing difficulty is a practical barrier, not a CVSS complexity factor, as no cryptographic or race-condition prerequisite exists once an ID is known.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 18:02 vuln.today
Analysis Generated
Jun 18, 2026 - 18:02 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on nl.nl-portal:documenten-api (3 direct, 4 indirect)

Ecosystem-wide dependent count for version 3.0.3.

DescriptionGitHub Advisory

Summary

A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was incomplete: documents remained downloadable by any authenticated user in 3.0.1 and 3.0.2, and the issue was only fully resolved in 3.0.3.

Relationship to CVE-2026-49463

This advisory is a follow-up to CVE-2026-49463. That advisory described the problem on the GraphQL getDocumentContent query and listed nl.nl-portal:documenten-api as fixed in 3.0.1. In practice:

  • The 3.0.1 change added an authentication parameter to the GraphQL query but never used it, so the query kept returning any document regardless of ownership.
  • The same flaw also existed on a REST endpoint that the original advisory did not cover, and that endpoint was not changed in 3.0.1 or 3.0.2.

Both were removed in 3.0.3, which is the first release where the document-content issue is actually fixed.

What was wrong

A document's contents could be fetched in two ways, and neither verified the caller's relationship to the document:

  • a REST endpoint: GET /api/documentapi/{documentapi}/document/{documentId}/content
  • a GraphQL query: getDocumentContent

Being logged in was required, but that was the *only* check - there was no per-document authorization. (A security rule meant to guard the REST endpoint also pointed at the wrong URL and never took effect; even if it had, it would only have required a login, not ownership.)

Proof of concept

While logged in as any portal user, request a document that belongs to someone else:

GET /api/documentapi/openzaak/document/<another-users-document-id>/content

The server returns the document contents (HTTP 200), even though the caller has no relationship to that document. The getDocumentContent GraphQL query behaves the same way.

Impact

A logged-in user could read the contents of documents belonging to other people. In a citizen or business portal these documents can contain sensitive personal information. To exploit this, an attacker needs a valid login and a target document's identifier. Document identifiers are random and hard to guess, which limits - but does not prevent - abuse, since identifiers can leak through other channels.

Patches

Fixed in 3.0.3. Both the REST endpoint and the GraphQL query were removed entirely. Document contents can now only be downloaded through endpoints that first confirm the caller is allowed to see the document:

  • one that requires the caller to have a role on the related case (*zaak*);
  • one that requires the caller to own the message (*bericht*) the document is attached to.

If your application relied on the removed endpoints, switch to one of these case- or message-scoped download endpoints.

Workarounds

If you cannot upgrade immediately, block the path GET /api/documentapi/*/document/*/content and the getDocumentContent GraphQL query at your gateway or reverse proxy, and remove any client code that calls them. There is no setting that adds the missing per-document check in affected versions; upgrading (or removing the endpoints) is the only complete fix.

References

  • Related advisory: GHSA-qpm9-h556-mwxm (CVE-2026-49463)
  • Fix commits: 6e738a87 (GraphQL query removed, PR #690), e326e6db (REST endpoint removed)
  • Affected module: nl.nl-portal:documenten-api

Credits

Reported by Ray Sabee, https://whitehatsecurity.nl/ (independent security researcher). Github handle: raysabee

AnalysisAI

Improper authorization in nl.nl-portal:documenten-api (NL Portal Backend Libraries) exposes document contents to any authenticated portal user, regardless of document ownership. The flaw persisted across versions 3.0.1 and 3.0.2 despite a prior fix attempt for CVE-2026-49463: the GraphQL fix added an authentication parameter that was never passed to the service layer, and a parallel REST endpoint was left entirely unaddressed and protected only by a misconfigured security rule pointing at the wrong URL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid portal credentials
Delivery
Authenticate to NL Portal session
Exploit
Acquire target document UUID via leak or secondary channel
Execution
Send crafted GET request to unguarded REST endpoint
Impact
Server returns full document content without ownership check

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the NL Portal instance (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) accurately reflects the threat profile: network-reachable, low complexity, requires only a valid authenticated session, and yields full confidentiality impact on targeted documents with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid portal account (for example, a citizen who legitimately registered on the platform) authenticates and obtains a document UUID belonging to another user - either through a URL logged in browser history, an API response that exposes identifiers, or an insider tip. The attacker sends GET /api/documentapi/openzaak/document/<target-uuid>/content while authenticated, and the server returns the full document contents with HTTP 200. …
Remediation Upgrade nl.nl-portal:documenten-api to version 3.0.3 or later; this is the first release where both the REST and GraphQL document-content surfaces are fully removed and replaced with ownership-scoped alternatives. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy