Description
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
Published: 2026-03-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access and disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated user to supply a user-controlled key to the console-survey/api/v1/answer endpoint, enabling enumeration of valid event IDs and retrieval of the entire Q&A history. The data exposed can contain IDs, private URLs, private messages, internal references and other sensitive information that should be restricted to authenticated users. Consequently, the attacker gains privileged access to confidential chat content and can leverage that information for reconnaissance, lateral movement, exploitation of related systems, or direct unauthorized access to internal applications referenced within the chat.

Affected Systems

The affected product is ON24 Q&A chat provided by ON24. No version information is supplied, so every deployment of the ON24 Q&A chat service could be vulnerable. The public endpoint responsible for returning past Q&A data is listed in the product’s CPE name.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, mapping to CWE‑639 (Authorization Bypass by User-Controlled Key). EPSS is not reported, but the absence of authentication and the public exposure of the API make exploitation likely with ordinary HTTP requests. While the vulnerability is not currently listed in the CISA KEV catalog, its potential to expose sensitive data and aid in lateral movement demands immediate attention. Based on the description, it is inferred that the attack vector involves crafted HTTP requests to the unprotected endpoint.

Generated by OpenCVE AI on March 30, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact ON24 support or consult their advisories to determine if a patch or update is available; apply it promptly.
  • If a patch is not yet available, restrict access to the /console-survey/api/v1/answer endpoint so that only authenticated users can reach it, using firewall rules or application configuration.
  • Review and enforce proper authentication and authorization checks for all API endpoints in the ON24 Q&A chat to ensure that sensitive data is protected.
  • Implement network segmentation and least privilege controls to limit the potential lateral movement from exposed chat data.
  • Enable monitoring and logging for failed and successful access attempts to the chat API to detect suspicious activity.

Generated by OpenCVE AI on March 30, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared On24 on24 Q&a Chat
Vendors & Products On24 on24 Q&a Chat

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
Title Authorization Bypass in ON24 Q&A chat
First Time appeared On24
On24 on24 Q A Chat
Weaknesses CWE-639
CPEs cpe:2.3:a:on24:on24_q_a_chat:*:*:*:*:*:*:*:*
Vendors & Products On24
On24 on24 Q A Chat
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

On24 On24 Q&a Chat On24 Q A Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-30T15:32:43.386Z

Reserved: 2026-02-27T10:16:13.144Z

Link: CVE-2026-3321

cve-icon Vulnrichment

Updated: 2026-03-30T15:32:38.461Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T14:16:35.420

Modified: 2026-04-01T14:24:21.833

Link: CVE-2026-3321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:54Z

Weaknesses