Description
Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sismics Docs (Teedy) v1.11 contains an incorrect access control condition that allows an attacker who crafts a request to share‑based read endpoints to retrieve data that should be restricted. This flaw can result in unauthorized disclosure of confidential documents or system information, compromising the confidentiality of the data stored in the application. The weakness is an improper access control vulnerability (CWE‑284).

Affected Systems

The affected product is Sismics Docs, commonly known as Teedy, version 1.11. No additional vendor or product variants are listed in the public metadata. Administrators who run this version should verify that they are not using legacy share‑based APIs without proper authentication layers.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high impact if exploited. However, the EPSS score is below 1 %, suggesting that attacks exploiting this issue are currently rare. The vulnerability is not included in the CISA KEV catalog, implying no confirmed exploits have been reported. An attacker would need the ability to target a Teedy instance, craft a request to a share‑based read endpoint, and the endpoint would return data without verifying the requester's authenticity. No privileged credentials or elevated permissions are required, making the condition straightforward to meet for an outsider.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to a fixed version that addresses the access control flaw.
  • If an upgrade is not immediately possible, restrict network access to the Teedy instance, allowing only trusted hosts to reach the share‑based endpoints.
  • Enforce strict authentication checks for all API calls that expose shared content, ensuring the requester is authorized for the requested resource.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Access Control Bypass in Sismics Docs Share Endpoints

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Access Control Bypass in Sismics Docs Share Endpoints

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sismics
Sismics teedy
Vendors & Products Sismics
Sismics teedy

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:41:16.312Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50885

cve-icon Vulnrichment

Updated: 2026-06-16T14:41:06.960Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:31.477

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:45:15Z

Weaknesses