Description
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
Published: 2026-06-05
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR in the Comment API of Linqi. Because the application does not verify the requesting user’s permissions for the relatedObjectId, an authenticated user can read or submit comments on any process, including those belonging to other business units. This flaw enables arbitrary disclosure and tampering of business process data, compromising confidentiality and integrity across the organization.

Affected Systems

Linqi GmbH’s Linqi application is affected. The specific product and version details are not disclosed, but the flaw exists in any deployment that includes the Comment API endpoints (GET /api/Comment and POST /api/Comment).

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity vulnerability. The EPSS score is not available, so the exact likelihood of exploitation cannot be quantified, though the flaw is readily exploitable by any authenticated user who can supply an arbitrary GUID. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw simply by including an arbitrary relatedObjectId in a request, with no additional conditions.

Generated by OpenCVE AI on June 5, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linqi patch that enforces authorization checks on the Comment API endpoints.
  • Verify that GET /api/Comment and POST /api/Comment correctly validate the relatedObjectId against the authenticated user’s permissions.
  • If a patch can not be applied immediately, restrict API access using role‑based access control or network segmentation so that only authorized users can read or write comments for their own business units.

Generated by OpenCVE AI on June 5, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Linqi
Linqi linqi
Vendors & Products Linqi
Linqi linqi

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
Title IDOR in Comment API Allows Cross-Process Comment Read and Write
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Linqi Linqi
cve-icon MITRE

Status: PUBLISHED

Assigner: linqi

Published:

Updated: 2026-06-05T12:37:46.830Z

Reserved: 2026-06-05T12:01:06.663Z

Link: CVE-2026-11369

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T14:16:35.657

Modified: 2026-06-05T14:16:35.657

Link: CVE-2026-11369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T14:45:43Z

Weaknesses