CVE-2026-56767

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-56767
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-56767.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-56767
Published
2026-06-25T18:03:33.720Z
Modified
2026-06-26T04:11:18.441313618Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Details

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56767.json",
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/getmaxun/maxun

Affected ranges

Type
GIT
Repo
https://github.com/getmaxun/maxun
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
50ee9b35cc99719829db3d4197ddd6b7284f734e
Database specific 
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.42"
        }
    ]
}

Affected versions

v0.*
v0.0.01
v0.0.10
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.6
v0.0.7

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-56767.json"