Skip to main content

AFFiNE EUVDEUVD-2026-26840

| CVE-2026-7702 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-03 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
May 03, 2026 - 16:30 vuln.today
CVSS changed
May 03, 2026 - 16:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
May 03, 2026 - 16:15 vuln.today
Public exploit code
EUVD ID Assigned
May 03, 2026 - 16:15 euvd
EUVD-2026-26840
Analysis Generated
May 03, 2026 - 16:15 vuln.today
CVE Published
May 03, 2026 - 15:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Technical ContextAI

AFFiNE is a collaborative workspace platform with a Public Markdown Preview Endpoint designed to share document previews via URL. The vulnerability exists in the allowDocPreview authorization function within the /workspace/:workspaceId/:docId endpoint, which is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The root cause is insufficient or missing access control validation in the endpoint logic, allowing the preview feature to be accessed without proper authentication or permission checks. The CPE cpe:2.3:a:toeverything:affine:*:*:*:*:*:*:*:* indicates all AFFiNE versions up to 0.26.3 are affected. The endpoint is exposed at the network level with low complexity, suggesting the authorization check can be bypassed with a simple HTTP request.

RemediationAI

Upgrade AFFiNE to a version beyond 0.26.3 immediately once available from the vendor. Since no patched version is confirmed in the provided data and the vendor has not responded to disclosure attempts, monitor the official AFFiNE GitHub repository and release notes for security updates. As an interim mitigation, restrict network access to the /workspace/:workspaceId/:docId endpoint using a Web Application Firewall (WAF) or network-level controls-allow access only from trusted IP ranges or require authentication via reverse proxy. Additionally, implement API rate limiting on the preview endpoint to reduce reconnaissance and bulk-access risk. Disable or restrict the Public Markdown Preview feature entirely if document sharing is not required in your deployment. Note that these compensating controls may impact legitimate sharing workflows, so coordinate with users before implementation. Given the vendor's non-responsiveness, consider switching to an alternative collaboration platform if timely patching cannot be guaranteed.

Share

EUVD-2026-26840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy