Description
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
Published: 2026-05-04
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical IDOR flaw in Comet Backup lets a tenant administrator impersonate any user belonging to other tenants on the same server via a vulnerable API call. This gives the attacker full access to the impersonated account, potentially exposing confidential data and performing actions as the target user. The weakness is a classic Insecure Direct Object Reference (CWE-639) that allows control over user identities without proper ownership checks.

Affected Systems

The vulnerability affects WebPros Comet Backup versions from 20.11.0 through 26.1.1 and 26.2.1. All installations of these releases running on a shared server are vulnerable.

Risk and Exploitability

The CVSS score of 9.9 signals a severe risk. The EPSS score is not available, but the lack of public exploitation data does not lessen the theoretical danger. The likely attack path is an authenticated API request performed by a legitimate tenant administrator; the vulnerability does not require additional privileges beyond those normally granted to the admin role. Once exploited, the attacker can impersonate any user across tenants, compromising confidentiality, integrity, and availability of tenant data. The flaw is not listed in the CISA KEV catalog, so monitoring for known exploits is prudent.

Generated by OpenCVE AI on May 4, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WebPros Comet Backup to the latest stable release that removes the vulnerable API call (e.g., 26.3 or later).
  • Restrict tenant administrator access to the API endpoint that exposes the IDOR, or enforce role‑based controls to ensure that administrators can only act on their own tenant's resources.
  • If an upgrade is delayed, immediately disable or block the vulnerable API from external networks and rotate any credentials that may have been used during the attack window.

Generated by OpenCVE AI on May 4, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Webpros
Webpros comet Backup
Vendors & Products Webpros
Webpros comet Backup

Mon, 04 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Critical IDOR in Comet Backup Enables Tenant Admin Impersonation

Mon, 04 May 2026 06:45:00 +0000

Type Values Removed Values Added
Description A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H'}

Subscriptions

Webpros Comet Backup
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-04T19:44:22.056Z

Reserved: 2026-03-04T15:00:09.266Z

Link: CVE-2026-29200

cve-icon Vulnrichment

Updated: 2026-05-04T19:44:10.306Z

cve-icon NVD

Status : Received

Published: 2026-05-04T07:16:00.100

Modified: 2026-05-04T07:16:00.100

Link: CVE-2026-29200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:05Z

Weaknesses