Description
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the User Information Handler’s getAccountInfo operation allows an attacker to retrieve account information without proper authorization, exposing sensitive user data. This improper authorization is described by CWE‑266 and CWE‑285 and may compromise confidentiality and integrity of private account details.

Affected Systems

hcengineering Huly Platform, versions up to 0.7.0.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3 and is not listed in the KEV catalog. While an EPSS score is not provided, the exploit is publicly available and can be launched remotely, indicating a realistic risk of unauthorized data exposure to authenticated or unauthenticated users depending on the role-based restrictions in place. The lack of timely vendor response amplifies the potential exposure window.

Generated by OpenCVE AI on June 15, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Huly Platform to the latest officially released version that contains the getAccountInfo authorization fix.
  • Implement strict role‑based access controls around the getAccountInfo endpoint so that only users with the appropriate privileges can retrieve account data.
  • Monitor API logs for repeated unauthorized access attempts and enforce rate limiting or temporary bans to mitigate brute‑force exploitation.

Generated by OpenCVE AI on June 15, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title hcengineering Huly Platform User Information operations.ts getAccountInfo improper authorization
First Time appeared Hcengineering
Hcengineering huly Platform
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:hcengineering:huly_platform:*:*:*:*:*:*:*:*
Vendors & Products Hcengineering
Hcengineering huly Platform
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hcengineering Huly Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T03:15:06.037Z

Reserved: 2026-06-14T12:38:01.859Z

Link: CVE-2026-12213

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T04:16:25.780

Modified: 2026-06-15T04:16:25.780

Link: CVE-2026-12213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T05:30:30Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-285

    Improper Authorization