Skip to main content

Maxun CVE-2026-56767

| EUVDEUVD-2026-39517 HIGH
Missing Authorization (CWE-862)
2026-06-25 VulnCheck GHSA-44p3-ph5c-h5h3
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable IDOR needing only a low-privileged account (PR:L, AC:L, UI:N); token theft plus robot modify/delete give C:H/I:H/A:H; scope kept U to match the official 4.0 SC/SI/SA:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 18:53 vuln.today
Analysis Generated
Jun 25, 2026 - 18:53 vuln.today

DescriptionCVE.org

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

AnalysisAI

Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged Maxun account
Delivery
Call storage/SDK robot API with victim robot ID
Exploit
Bypass missing ownership check (CWE-862)
Execution
Read other tenants' robots and plaintext OAuth tokens
Impact
Replay Google/Airtable tokens or modify/delete robots

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Maxun account (CVSS PR:L) and a deployment serving more than one tenant/user - on a multi-tenant or shared/SaaS instance the attacker simply invokes the storage, webhook, or /sdk/robots API handlers (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine priority on any multi-tenant deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains any low-privileged account on a shared Maxun instance, then calls the robot/storage or /sdk/robots API endpoints supplying victim robot IDs (or simply requesting the unscoped robot listing). Because ownership is never enforced, the response returns other tenants' robot definitions and their plaintext Google/Airtable OAuth tokens, which the attacker can replay against those third-party services, or they can trigger runs and modify/delete the victim robots. …
Remediation Upgrade to Maxun 0.0.42 or later, which is the vendor-released patch (PR #1088 / commit 11db0257531f1c23dec94727793c9444ee2873cf) that adds explicit req.user checks and scopes every robot/run query with userId in both server/src/api/record.ts and server/src/api/sdk.ts. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Maxun deployments to identify versions prior to 0.0.42 and determine which are configured for multi-tenant use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy