An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
Metrics
Affected Vendors & Products
References
History
Mon, 06 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data. | |
| Title | Incorrect authorisation in Adiss’s Biloop | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: INCIBE
Published:
Updated: 2026-07-06T12:50:57.194Z
Reserved: 2026-06-19T08:38:05.732Z
Link: CVE-2026-12686
Updated: 2026-07-06T12:50:53.831Z
No data.
No data.
OpenCVE Enrichment
No data.