Description
An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
Vendor Solution
The vulnerability has now been fixed, so we recommend updating to the latest available version.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Mon, 06 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data. | |
| Title | Incorrect authorisation in Adiss’s Biloop | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: INCIBE
Published:
Updated: 2026-07-06T08:48:54.613Z
Reserved: 2026-06-19T08:38:05.732Z
Link: CVE-2026-12686
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses