An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
The vulnerability has now been fixed, so we recommend updating to the latest available version.
Workaround
No workaround given by the vendor.
References
History
Mon, 06 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data. | |
| Title | Incorrect authorisation in Adiss’s Biloop | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: INCIBE
Published:
Updated: 2026-07-06T08:48:54.613Z
Reserved: 2026-06-19T08:38:05.732Z
Link: CVE-2026-12686
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses