Description
Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.
Published: 2026-05-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tuist DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads a preview by its UUID without ensuring it belongs to the project specified in the URL. This IDOR flaw allows an authenticated attacker to supply any preview UUID and delete any preview owned by a different tenant, resulting in unintended data loss. The vulnerability is tied to a missing authorization check (CWE-639). The likely attack vector is a remote API call performed after authenticating, where the attacker crafts a request with a victim’s preview UUID and any project identifiers in the URL path.

Affected Systems

This issue exists in Tuist 1.180.8 and earlier. Users running these versions and exposing the preview deletion API are at risk.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity. EPSS data is not available, so exploitation likelihood is indeterminate, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must first authenticate with the Tuist API and then send a crafted DELETE request with an unrelated preview UUID. No local or privileged access is required beyond normal API permissions.

Generated by OpenCVE AI on May 14, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tuist to a version released after 1.180.8 where preview ownership is verified
  • Restrict API token scopes so that only authorized users can delete previews, limiting the impact of a compromised token
  • If an upgrade cannot be performed immediately, add server‑side validation that checks that the preview’s project matches the project encoded in the URL before performing the deletion
  • Consider disabling or further restricting the preview deletion API for tenants until the fix is applied

Generated by OpenCVE AI on May 14, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Tuist
Tuist tuist
Vendors & Products Tuist
Tuist tuist

Thu, 14 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.
Title Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tuist Tuist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T01:03:16.241Z

Reserved: 2026-05-07T16:20:08.660Z

Link: CVE-2026-44678

cve-icon Vulnrichment

Updated: 2026-05-16T01:03:09.472Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:47.640

Modified: 2026-05-15T14:53:48.823

Link: CVE-2026-44678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:21:01Z

Weaknesses