Description
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a cross‑tenant insecure direct object reference that lets an authenticated user view, alter, delete, or run other users’ robots and OAuth tokens. An attacker can read plaintext Google and Airtable tokens, compromising the confidentiality of those services, and can modify or delete robots, affecting integrity and availability of the affected infrastructure.

Affected Systems

The vulnerability exists in any release of Maxun before version 0.0.42. Users running 0.0.41, 0.0.40, or earlier are exposed. There is no reported difference in other products, only the Maxun service is mentioned.

Risk and Exploitability

The assessment gives a CVSS score of 8.7, indicating high severity. The EPSS score is not available and the vulnerability is not listed in CISA KEV, but the lack of exploitation data does not reduce the risk. An attacker must be an authenticated user of the service and there is no requirement for elevated privileges. The missing ownership checks in the storage and webhook API handlers provide a straightforward attack path for anyone who has legitimate credentials.

Generated by OpenCVE AI on June 25, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of Maxun (>= 0.0.42) or the fix introduced in commit 11db0257.
  • Configure firewall or API gateway rules to restrict access to the storage and webhook endpoints for users who do not require them.
  • Rotate any exposed Google or Airtable tokens and audit robot configurations for suspicious activity.

Generated by OpenCVE AI on June 25, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Getmaxun
Getmaxun maxun
Vendors & Products Getmaxun
Getmaxun maxun

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
Title Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Getmaxun Maxun
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T20:28:18.697Z

Reserved: 2026-06-22T21:55:17.942Z

Link: CVE-2026-56767

cve-icon Vulnrichment

Updated: 2026-06-25T20:27:17.737Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses