Authorization Bypass Through User-Controlled Key in OutSystems Lifetime_CVE-2026-40127

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.

This issue was fixed in OutSystems Lifetime version 11.28.2.3955

Basic Information

ID CVE-2026-40127

Source CERT-PL

Published May 25, 2026 at 10:18

Affected Product

Vendor OutSystems

Product Lifetime

Affected Versions OutSystems Lifetime 0

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can\u00a0read the Change Log containing actions performed by other users as well as application name of any application.\n\nThis issue was fixed in OutSystems Lifetime version\u00a011.28.2.3955",
    "published": "2026-05-25T10:18:05.904Z",
    "modified": "2026-05-25T10:18:05.904Z",
    "type": "cve",
    "title": "Authorization Bypass Through User-Controlled Key in OutSystems Lifetime",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/05/CVE-2026-40126/\nhttps://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime",
    "id": "CVE-2026-40127",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "OutSystems Lifetime 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Lifetime",
    "version": "0",
    "vendor": "OutSystems",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}