Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Answer failed to enforce access restrictions on direct API endpoints, enabling authenticated users to discover and retrieve unlisted questions, including their answers, comments, and revision history. The vulnerability allows an attacker to gain sensitive information that should remain hidden, compromising confidentiality of user‑generated content.

Affected Systems

Apache Software Foundation’s Apache Answer, version 2.0.0 and earlier. The issue is present in all builds released up to and including 2.0.0.

Risk and Exploitability

The flaw can be exploited by any user authenticated to the API; no additional privileges are required beyond standard authentication. Since the API endpoints are publicly reachable, an attacker can enumerate question IDs and retrieve data. The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of automated exploitation. The vulnerability is not listed in the CISA KEV catalog, but the potential impact remains significant data disclosure, allowing a determined attacker to harvest large amounts of sensitive content.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Answer to version 2.0.1 or later to apply the vendor‑supplied fix.
  • Ensure that API access is only granted to users with appropriate privileges; review and tighten role‑based access controls where possible.
  • Monitor API usage logs for anomalous behavior, such as repeated requests for unlisted questions, and investigate any suspicious activity.

Generated by OpenCVE AI on June 9, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: Unlisted Questions Accessible via Direct API Access
Weaknesses CWE-200
References

Subscriptions

Apache Answer
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-09T14:55:35.086Z

Reserved: 2026-03-31T12:21:44.518Z

Link: CVE-2026-34905

cve-icon Vulnrichment

Updated: 2026-06-09T09:07:36.514Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T09:16:29.537

Modified: 2026-06-09T16:16:40.990

Link: CVE-2026-34905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T16:30:08Z

Weaknesses