Description
A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Cross‑Tenant Data Access and Modification
Action: Patch
AI Analysis

Impact

The Augmentt web application contains an insecure direct object reference flaw that lets attackers bypass owner checks and retrieve or alter data belonging to other tenants. This can compromise both confidentiality and integrity of tenant data, with the weakness mapped to CWE‑639.

Affected Systems

All deployed instances of the Augmentt web application are potentially vulnerable; no specific version information was supplied, so any deployment of the product may be impacted until a fix is applied.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is via standard web requests that can guess or enumerate object identifiers. While EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, the cross‑tenant elevation potential makes it a high‐risk flaw. The CVSS score of 6.5 indicates moderate severity. Once the web application is reachable from a network or the internet, exploitation could occur with minimal effort from an unauthenticated user.

Generated by OpenCVE AI on April 22, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑provided patch that removes the insecure direct object reference checks.
  • Implement server‑side validation to ensure that object identifiers are always verified against the tenant context before any operation is performed.
  • Enforce role‑based access control so that only privileged users can alter configuration settings or access other tenants’ data.

Generated by OpenCVE AI on April 22, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration.
Title CVE-2026-6355
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-22T14:19:45.268Z

Reserved: 2026-04-15T13:48:22.716Z

Link: CVE-2026-6355

cve-icon Vulnrichment

Updated: 2026-04-22T14:18:32.851Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:17:06.627

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses