Skip to main content

AFFiNE CVE-2026-59262

| EUVDEUVD-2026-42314 HIGH
Missing Authorization (CWE-862)
2026-07-08 VulnCheck GHSA-m4gp-5xh5-xhq4
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network GraphQL endpoint with a legitimate low-privilege workspace member (PR:L), trivial to trigger (AC:L), and read-only disclosure of history data yields C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 16:31 vuln.today

DescriptionCVE.org

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

AnalysisAI

Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged workspace member
Delivery
Obtain target private document GUID
Exploit
Send GraphQL query for histories field
Execution
Bypass missing Doc.Read check
Impact
Exfiltrate edit history, names, emails, timestamps

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account that is a member of the target AFFiNE workspace (PR:L) and knowledge of a target document's GUID; the attacker must reach the GraphQL API over the network and send a 'histories' query for that GUID. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) scores 7.1 and is internally consistent with the description: network-reachable GraphQL endpoint, low attack complexity, low privileges (a legitimate but unauthorized workspace member), no user interaction, and a pure confidentiality impact with no integrity or availability effect - which matches an information-disclosure/read-only authorization bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A disgruntled member of a shared AFFiNE workspace who has access to some pages but not to a confidential HR or strategy document obtains that document's GUID (e.g., from a shared link, referral, or enumeration) and issues a GraphQL query for its 'histories' field. The server returns the full edit timeline - prior content revisions plus the names, emails, and timestamps of every contributor - even though the attacker was never granted Doc.Read on that page. …
Remediation Patch available per vendor advisory: apply the upstream fix commit https://github.com/toeverything/AFFiNE/commit/1f0bcd01a37a522393fc1b288395e3a72a79ccad, which adds the missing Doc.Read permission check to the GraphQL histories resolver; a released patched version was not independently confirmed from the provided data, so self-hosters should build from a revision including this commit or track the referenced issue (https://github.com/toeverything/AFFiNE/issues/15179) for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all AFFiNE deployments and current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy