CVE-2026-56767: Missing Authorization in getmaxun maxun
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
AI Analysis
Technical Summary
CVE-2026-56767 describes a vulnerability in maxun before version 0.0.42 where insufficient authorization checks in storage and webhook API handlers enable authenticated users to access and manipulate resources belonging to other tenants. This includes unauthorized access to robots and OAuth tokens, allowing attackers to read sensitive tokens in plaintext and perform unauthorized actions such as modification, deletion, or execution of other users' robots. The vulnerability is classified as a cross-tenant insecure direct object reference issue.
Potential Impact
Authenticated users can bypass ownership verification in API endpoints, leading to unauthorized disclosure of sensitive OAuth tokens (Google and Airtable) and unauthorized control over other users' robots. This compromises confidentiality, integrity, and availability of affected users' resources.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Users should monitor vendor communications for updates and apply patches once available.
CVE-2026-56767: Missing Authorization in getmaxun maxun
Description
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
CVSS v4.0
Score 8.7high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-56767 describes a vulnerability in maxun before version 0.0.42 where insufficient authorization checks in storage and webhook API handlers enable authenticated users to access and manipulate resources belonging to other tenants. This includes unauthorized access to robots and OAuth tokens, allowing attackers to read sensitive tokens in plaintext and perform unauthorized actions such as modification, deletion, or execution of other users' robots. The vulnerability is classified as a cross-tenant insecure direct object reference issue.
Potential Impact
Authenticated users can bypass ownership verification in API endpoints, leading to unauthorized disclosure of sensitive OAuth tokens (Google and Airtable) and unauthorized control over other users' robots. This compromises confidentiality, integrity, and availability of affected users' resources.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been documented at this time. Users should monitor vendor communications for updates and apply patches once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-22T21:55:17.942Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d73fb4853345fc14dfa3c
Added to database: 06/25/2026, 18:31:23 UTC
Last enriched: 06/25/2026, 18:46:22 UTC
Last updated: 06/25/2026, 21:46:07 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.