IDOR in Comment API Allows Cross-Process Comment Read and Write

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

Basic Information

ID CVE-2026-11369

Source linqi

Published Jun 5, 2026 at 12:37

Affected Product

Vendor linqi GmbH

Product linqi

Affected Versions linqi GmbH linqi 0

CWE Classification

CWE-639

References

linqi.help /en/reference/security/security-advisories/

{
    "lastseen": "",
    "description": "The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.",
    "published": "2026-06-05T12:37:46.830Z",
    "modified": "2026-06-05T12:37:46.830Z",
    "type": "cve",
    "title": "IDOR in Comment API Allows Cross-Process Comment Read and Write",
    "source": "linqi",
    "references": "https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi",
    "id": "CVE-2026-11369",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "linqi GmbH linqi 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "linqi",
    "version": "0",
    "vendor": "linqi GmbH",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

IDOR in Comment API Allows Cross-Process Comment Read and Write_CVE-2026-11369