Description
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized disclosure of sensitive information via IDOR
Action: Assess Impact
AI Analysis

Impact

Wimi Teamwork On‑Premises versions earlier than 8.2.0 contain an insecure direct object reference in the preview.php endpoint. The item_id parameter is not verified for proper authorization, allowing an attacker to enumerate sequential identifiers and retrieve image previews from private or group conversations. The unintended disclosure of user‑contributed images results in access to confidential or personal data that belongs to other users.

Affected Systems

Cloud Solutions SAS’s Wimi Teamwork On‑Premises installations running any version prior to 8.2.0 are affected. The vulnerability exists wherever preview.php is exposed, and any user who can supply an item_id value will be able to trigger the IDOR behavior.

Risk and Exploitability

The assigned CVSS v3 base score of 5.3 reflects moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, through the web interface, and the flaw requires only enumeration of predictable item_id values—an action that can be automated once the attacker has network or web access to the application.

Generated by OpenCVE AI on April 8, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of Wimi Teamwork On‑Premises and confirm it is version 8.2.0 or higher.
  • Upgrade the software to the latest secure release if the current version is below 8.2.0.
  • If an immediate upgrade is not possible, restrict or disable direct access to preview.php and enforce proper authorization checks for the item_id parameter.
  • Monitor application logs for unauthorized attempts to access preview.php and review user privileges regularly.

Generated by OpenCVE AI on April 8, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Cloud Solutions
Cloud Solutions wimi Teamwork
Vendors & Products Cloud Solutions
Cloud Solutions wimi Teamwork

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.
Title Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cloud Solutions Wimi Teamwork
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-08T14:17:46.846Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35023

cve-icon Vulnrichment

Updated: 2026-04-08T14:17:24.249Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T14:16:28.320

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:35Z

Weaknesses