No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Thehive-project
Thehive-project thehive |
|
| Vendors & Products |
Thehive-project
Thehive-project thehive |
Fri, 17 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing organization-scoped authorization check in AttachmentSrv.visible, which is implemented as a pass-through traversal, to download arbitrary attachments. | |
| Title | TheHive 4.1.24 Broken Object Level Authorization via Attachment Download Endpoints | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T16:34:56.233Z
Reserved: 2026-07-15T15:45:44.601Z
Link: CVE-2026-63099
Updated: 2026-07-17T16:34:49.573Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T17:30:05Z
-
CWE-639
Authorization Bypass Through User-Controlled Key