toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-7702

Source VulDB

Published May 3, 2026 at 15:45

Affected Product

Vendor toeverything

Product AFFiNE

Version 0.26.0

Affected Versions toeverything AFFiNE 0.26.0
toeverything AFFiNE 0.26.1
toeverything AFFiNE 0.26.2
toeverything AFFiNE 0.26.3

CWE Classification

CWE-639 CWE-285

References

{
    "lastseen": "",
    "description": "A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-05-03T15:45:10.969Z",
    "modified": "2026-05-03T15:45:10.969Z",
    "type": "cve",
    "title": "toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/360871\nhttps://vuldb.com/vuln/360871/cti\nhttps://vuldb.com/submit/804455\nhttps://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4",
    "id": "CVE-2026-7702",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639",
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "toeverything AFFiNE 0.26.0\ntoeverything AFFiNE 0.26.1\ntoeverything AFFiNE 0.26.2\ntoeverything AFFiNE 0.26.3",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AFFiNE",
    "version": "0.26.0",
    "vendor": "toeverything",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization_CVE-2026-7702