Skip to main content

TheHive EUVDEUVD-2026-45197

| CVE-2026-63099 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 VulnCheck GHSA-6392-9v2x-r546
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.7 HIGH

Authenticated network access (PR:L, AV:N/AC:L) leaks another organization's data across a tenant boundary, so scope changes (S:C) with confidentiality-only impact (C:H, I/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:17 vuln.today
CVE Published
Jul 17, 2026 - 15:39 cve.org
HIGH 7.1

DescriptionCVE.org

TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing organization-scoped authorization check in AttachmentSrv.visible, which is implemented as a pass-through traversal, to download arbitrary attachments.

AnalysisAI

Cross-organization data disclosure in TheHive through 4.1.24 allows any authenticated user to download attachments belonging to other organizations by supplying a known content-hash identifier. The flaw is a broken object-level authorization (BOLA/IDOR) in the attachment download endpoints, where AttachmentSrv.visible acts as a pass-through datastore traversal without enforcing organization scoping. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with valid low-privilege account
Delivery
Obtain target attachment content-hash
Exploit
Request attachment download endpoint with hash
Execution
Bypass missing org-scoped authorization check
Impact
Download cross-organization attachment

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated TheHive account (PR:L) with network access to the attachment download endpoints, and knowledge of a valid content-hash identifier for the target attachment, which is supplied directly to trigger AttachmentSrv.visible's pass-through traversal. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, base 7.1) is internally consistent with the description: network-reachable, low complexity, requires low privileges (a valid authenticated account), no user interaction, and a pure confidentiality impact with no effect on integrity or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged analyst in Organization A (or an attacker who has phished/obtained any valid TheHive account) obtains a content-hash of an attachment belonging to Organization B - for example leaked in a shared report, API response, or prior access. Using the public POC technique, they issue an authenticated request to the attachment download endpoint supplying that hash and retrieve the file directly, bypassing organization isolation. …
Remediation No vendor-released patch version is identified in the available data, so upgrade to the vendor's fixed release once published and monitor the VulnCheck advisory (https://www.vulncheck.com/advisories/thehive-broken-object-level-authorization-via-attachment-download-endpoints) and TheHive project releases for a version beyond 4.1.24 that adds an organization-scoped authorization check to AttachmentSrv.visible. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all TheHive instances running version 4.1.24 or earlier and restrict network access to trusted internal networks only; limit authenticated user accounts to minimum required scope and establish monitoring of attachment download logs for cross-organization access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy