CVE-2026-29200: CWE-639 Insecure Direct Object Reference (IDOR) in WebPros Comet Backup
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
AI Analysis
Technical Summary
CVE-2026-29200 is an IDOR vulnerability in WebPros Comet Backup that affects versions from 20.11.0 to 26.1.1 and 26.2.1. The flaw allows a tenant administrator to impersonate any end-user account of other tenants on the same server by exploiting a vulnerable API call. This enables unauthorized access across tenant boundaries, violating access controls. The vulnerability has a critical CVSS 4.0 score of 9.9, reflecting its high impact and ease of exploitation without privileges or user interaction. No official patch or remediation information is currently available from the vendor, and no known exploits have been reported in the wild.
Potential Impact
Successful exploitation allows a tenant administrator to impersonate any end-user account of other tenants on the same server, potentially leading to unauthorized access to sensitive data and operations across tenant boundaries. This compromises confidentiality and integrity of tenant data within the affected Comet Backup server environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict tenant administrator privileges to trusted personnel only and monitor for suspicious activity related to cross-tenant access attempts. Avoid exposing the vulnerable API externally if possible.
CVE-2026-29200: CWE-639 Insecure Direct Object Reference (IDOR) in WebPros Comet Backup
Description
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-29200 is an IDOR vulnerability in WebPros Comet Backup that affects versions from 20.11.0 to 26.1.1 and 26.2.1. The flaw allows a tenant administrator to impersonate any end-user account of other tenants on the same server by exploiting a vulnerable API call. This enables unauthorized access across tenant boundaries, violating access controls. The vulnerability has a critical CVSS 4.0 score of 9.9, reflecting its high impact and ease of exploitation without privileges or user interaction. No official patch or remediation information is currently available from the vendor, and no known exploits have been reported in the wild.
Potential Impact
Successful exploitation allows a tenant administrator to impersonate any end-user account of other tenants on the same server, potentially leading to unauthorized access to sensitive data and operations across tenant boundaries. This compromises confidentiality and integrity of tenant data within the affected Comet Backup server environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict tenant administrator privileges to trusted personnel only and monitor for suspicious activity related to cross-tenant access attempts. Avoid exposing the vulnerable API externally if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- hackerone
- Date Reserved
- 2026-03-04T15:00:09.266Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f83e68cbff5d8610c9d5a2
Added to database: 5/4/2026, 6:36:24 AM
Last enriched: 5/4/2026, 6:51:21 AM
Last updated: 5/4/2026, 10:05:35 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.