CVE-2026-56767 | Maxun before 0.0.42 contains a cross-tenant insecure direct … | CVSS 8.8 HIGH

Description

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

Metadata

CVE ID: CVE-2026-56767
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-22 21:55 UTC
Published: 2026-06-25 18:03 UTC
Last updated: 2026-06-25 20:28 UTC
Primary CWE: CWE-862
Missing Authorization
Vendor / Product: getmaxun / maxun
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
getmaxun	maxun	—	0 < 0.0.42, 0.0.42

Weakness (CWE)

CWE	Source	Description
CWE-862	cna	Missing Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)