CVE-2026-11369: CWE-639: Authorization Bypass Through User-Controlled Key in linqi GmbH linqi
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
AI Analysis
Technical Summary
The linqi application suffers from an authorization bypass vulnerability (CWE-639) in its Comment API. Specifically, the GET and POST methods for /api/Comment fail to perform proper authorization checks on the relatedObjectId parameter. As a result, authenticated users can access or modify comments on any process by providing arbitrary object GUIDs, bypassing intended access controls. This vulnerability is categorized as an IDOR and has a CVSS 4.0 base score of 7.1, indicating a high impact due to network attack vector, low attack complexity, and no user interaction required.
Potential Impact
An attacker with valid authentication credentials can read and write comments on any process across all business units, potentially exposing or altering sensitive information. This compromises the integrity and confidentiality of comment data within the application. There is no indication of privilege escalation beyond comment access or impact on other system components based on the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided by the vendor, organizations should monitor vendor communications for updates. Until a fix is available, consider restricting access to the Comment API endpoints to trusted users only and implementing additional access control checks at the application or network level if possible.
CVE-2026-11369: CWE-639: Authorization Bypass Through User-Controlled Key in linqi GmbH linqi
Description
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
CVSS v4.0
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The linqi application suffers from an authorization bypass vulnerability (CWE-639) in its Comment API. Specifically, the GET and POST methods for /api/Comment fail to perform proper authorization checks on the relatedObjectId parameter. As a result, authenticated users can access or modify comments on any process by providing arbitrary object GUIDs, bypassing intended access controls. This vulnerability is categorized as an IDOR and has a CVSS 4.0 base score of 7.1, indicating a high impact due to network attack vector, low attack complexity, and no user interaction required.
Potential Impact
An attacker with valid authentication credentials can read and write comments on any process across all business units, potentially exposing or altering sensitive information. This compromises the integrity and confidentiality of comment data within the application. There is no indication of privilege escalation beyond comment access or impact on other system components based on the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided by the vendor, organizations should monitor vendor communications for updates. Until a fix is available, consider restricting access to the Comment API endpoints to trusted users only and implementing additional access control checks at the application or network level if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- linqi
- Date Reserved
- 2026-06-05T12:01:06.663Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a22d3b5e29bf47b5076ed49
Added to database: 6/5/2026, 1:48:37 PM
Last enriched: 6/5/2026, 2:03:33 PM
Last updated: 6/6/2026, 4:50:07 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.