Description
A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A function in the RPC Interface, getMailboxSecret, contains improper access controls that can be manipulated remotely. An attacker can obtain mailbox secrets that are meant to be protected, leading to confidential data compromise. The weakness is a role‑based or authentication bypass error, classified as CWE‑266 and CWE‑284.

Affected Systems

The vulnerability exists in hcengineering Huly Platform versions up to 0.7.0. Any deployment of the platform before that version is vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, so current exploitation prevalence is unknown. The attack vector is remote and the exploit has already been disclosed publicly, implying that an attacker could target the platform from the network if the RPC endpoint is not adequately protected.

Generated by OpenCVE AI on June 15, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Huly Platform to a version later than 0.7.0 if a patch is available.
  • If an update cannot be performed immediately, enforce strict network access controls so that the RPC interface is reachable only by trusted, authenticated systems.
  • Continuously monitor API logs for unexpected calls to getMailboxSecret and review access patterns for anomalies.

Generated by OpenCVE AI on June 15, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in hcengineering Huly Platform up to 0.7.0. Affected is the function getMailboxSecret of the file server/account/src/operations.ts of the component RPC Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title hcengineering Huly Platform RPC operations.ts getMailboxSecret access control
First Time appeared Hcengineering
Hcengineering huly Platform
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:hcengineering:huly_platform:*:*:*:*:*:*:*:*
Vendors & Products Hcengineering
Hcengineering huly Platform
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hcengineering Huly Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T03:00:08.377Z

Reserved: 2026-06-14T12:37:59.487Z

Link: CVE-2026-12212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T04:16:25.417

Modified: 2026-06-15T04:16:25.417

Link: CVE-2026-12212

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T05:30:30Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-284

    Improper Access Control