Back to overview

CVE-2026-59262

MEDIUM
6.5
CVSS 3.1
Description
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

Metadata

CVE ID
CVE-2026-59262
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-04 12:17 UTC
Published
2026-07-08 15:44 UTC
Last updated
2026-07-08 15:44 UTC
Primary CWE
CWE-862
Missing Authorization
Vendor / Product
affine / monorepo
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
affine monorepo 0 < 0.26.3, 0 ≤ 1f0bcd0
Weakness (CWE)
CWESourceDescription
CWE-862 cna Missing Authorization
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Back to overview