Description
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.

This issue was fixed in OutSystems Lifetime version 11.28.2.3955
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OutSystems Lifetime has a flaw in the ApplicationID parameter that allows any authenticated user to bypass normal authorization checks and view the Change Log for any application. This log contains detailed information about actions performed by other users, exposing sensitive audit data and providing insight into user activity. The vulnerability is an Information‑Disclosure issue that could allow attackers to gain knowledge about system usage and potentially plan further attacks based on the disclosed information.

Affected Systems

The issue affects the OutSystems Lifetime application. Versions older than 11.28.2.3955 are vulnerable. Users running earlier releases should verify their current version and plan an upgrade if necessary.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the web interface or API when an authenticated user manipulates the ApplicationID parameter in a request. Because the attack requires authentication, the impact is limited to users who already have legitimate credentials, but the resulting information disclosure remains a security concern.

Generated by OpenCVE AI on May 25, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to OutSystems Lifetime version 11.28.2.3955 or later.
  • If an upgrade is not immediately feasible, restrict visibility of the Change Log to privileged roles only, ensuring that only designated administrators can access this window.
  • Monitor for anomalous or unauthorized accesses to audit logs, and audit user activity to detect potential misuse or exploitation.

Generated by OpenCVE AI on May 25, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955
Title Authorization Bypass Through User-Controlled Key in OutSystems Lifetime
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-25T10:18:05.904Z

Reserved: 2026-04-09T10:15:00.973Z

Link: CVE-2026-40127

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T12:30:25Z

Weaknesses