Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network GraphQL endpoint with a legitimate low-privilege workspace member (PR:L), trivial to trigger (AC:L), and read-only disclosure of history data yields C:H with I:N/A:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
AnalysisAI
Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account that is a member of the target AFFiNE workspace (PR:L) and knowledge of a target document's GUID; the attacker must reach the GraphQL API over the network and send a 'histories' query for that GUID. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) scores 7.1 and is internally consistent with the description: network-reachable GraphQL endpoint, low attack complexity, low privileges (a legitimate but unauthorized workspace member), no user interaction, and a pure confidentiality impact with no integrity or availability effect - which matches an information-disclosure/read-only authorization bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A disgruntled member of a shared AFFiNE workspace who has access to some pages but not to a confidential HR or strategy document obtains that document's GUID (e.g., from a shared link, referral, or enumeration) and issues a GraphQL query for its 'histories' field. The server returns the full edit timeline - prior content revisions plus the names, emails, and timestamps of every contributor - even though the attacker was never granted Doc.Read on that page. … |
| Remediation | Patch available per vendor advisory: apply the upstream fix commit https://github.com/toeverything/AFFiNE/commit/1f0bcd01a37a522393fc1b288395e3a72a79ccad, which adds the missing Doc.Read permission check to the GraphQL histories resolver; a released patched version was not independently confirmed from the provided data, so self-hosters should build from a revision including this commit or track the referenced issue (https://github.com/toeverything/AFFiNE/issues/15179) for a tagged release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all AFFiNE deployments and current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42314
GHSA-m4gp-5xh5-xhq4