CVE-2026-12213
MEDIUM
4.3
CVSS 3.1
Description
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Metadata
Severity & Metrics
4.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| hcengineering | Huly Platform | — | 0.1, 0.2, 0.3, 0.4 … |
Weakness (CWE)
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P |
| 4.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R |
| 4.3 | MEDIUM | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R |
| 4.0 | N/D | 2.0 | cna | AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR |
References (4)
- VDB-370855 | hcengineering Huly Platform User Information operations.ts getAccountInfo improper authorization https://vuldb.com/vuln/370855
- VDB-370855 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/370855/cti
- CVE-2026-12213 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-12213
- Submit #832974 | Huly hcengineering/platform <= 0.7.0 (confirmed on commit 18ef71b) Authorization Bypass Through User-Controlled SQL Primary Key https://vuldb.com/submit/832974