Description
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from missing authorization checks on timeline-related API endpoints in Apache Answer. This flaw allows any authenticated user to view content that has been deleted, marked private, or remains unapproved, along with its revision history. Consequently, private personal information can be exposed to users who should not have access to it.

Affected Systems

Apache Answer versions 2.0.0 and earlier are vulnerable. The issue is fixed in release 2.0.1, so all installations of Apache Answer that have not upgraded to 2.0.1 are at risk.

Risk and Exploitability

Because the weakness is a straightforward lack of authorization (CWE-359), an attacker only needs to authenticate with a user account and correctly format a request to a timeline API endpoint; no additional special circumstances are required. The CVSS score for this vulnerability is 6.1, which is considered medium severity. The EPSS score is less than 1%, indicating a very low probability of exploitation. The vulnerability has not yet been reported in CISA's KEV catalog. However, the impact on confidentiality of private data and the ease of exploitation suggest a high risk that warrants immediate remediation.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Apache Answer 2.0.1 patch or upgrade to the latest release.
  • Ensure that all timeline API endpoints enforce proper authorization checks so that only users with the appropriate roles can retrieve deleted, private, or unapproved content.
  • Restrict access to timeline APIs to verified roles and audit access logs for anomalous retrieval of sensitive revisions.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: Authorization Bypass in Timeline API
Weaknesses CWE-359
References

Subscriptions

Apache Answer
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-09T14:58:00.387Z

Reserved: 2026-02-05T09:04:44.915Z

Link: CVE-2026-25699

cve-icon Vulnrichment

Updated: 2026-06-09T09:07:30.850Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T09:16:28.913

Modified: 2026-06-09T16:16:40.320

Link: CVE-2026-25699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:30:08Z

Weaknesses