Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable IDOR needing only a low-privileged account (PR:L, AC:L, UI:N); token theft plus robot modify/delete give C:H/I:H/A:H; scope kept U to match the official 4.0 SC/SI/SA:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
AnalysisAI
Cross-tenant access in Maxun (the open-source no-code web data extraction/scraping platform) before 0.0.42 allows any authenticated user to read, modify, delete, or run other tenants' robots and to exfiltrate their plaintext Google and Airtable OAuth access tokens by abusing storage and webhook API handlers that never check resource ownership. The flaw stems from API endpoints querying robots by ID alone (e.g. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Maxun account (CVSS PR:L) and a deployment serving more than one tenant/user - on a multi-tenant or shared/SaaS instance the attacker simply invokes the storage, webhook, or /sdk/robots API handlers (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine priority on any multi-tenant deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains any low-privileged account on a shared Maxun instance, then calls the robot/storage or /sdk/robots API endpoints supplying victim robot IDs (or simply requesting the unscoped robot listing). Because ownership is never enforced, the response returns other tenants' robot definitions and their plaintext Google/Airtable OAuth tokens, which the attacker can replay against those third-party services, or they can trigger runs and modify/delete the victim robots. … |
| Remediation | Upgrade to Maxun 0.0.42 or later, which is the vendor-released patch (PR #1088 / commit 11db0257531f1c23dec94727793c9444ee2873cf) that adds explicit req.user checks and scopes every robot/run query with userId in both server/src/api/record.ts and server/src/api/sdk.ts. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Maxun deployments to identify versions prior to 0.0.42 and determine which are configured for multi-tenant use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Use of hard-coded cryptographic keys in getmaxun maxun up to version 0.0.28 allows remote unauthenticated attackers to m
Improper authorization in getmaxun maxun up to version 0.0.28 allows authenticated remote attackers to access unauthoriz
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39517
GHSA-44p3-ph5c-h5h3