CVE-2026-7702 - Vulnerability Details

- toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization

Description

A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-03

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability was found in the toeverything AFFiNE application up to version 0.26.3. The flaw resides in the allowDocPreview function of the Public Markdown Preview endpoint located at /workspace/:workspaceId/:docId. By manipulating the docId parameter, an attacker can bypass normal authorization checks and view the content of documents for which they have no permission. The effect is a loss of confidentiality and potential integrity violations, as sensitive markdown files may be accessed without authentication. This flaw is classified as an authorization bypass (CWE‑285) and also involves improper privilege validation (CWE‑639).

Affected Systems

The affected vendor is toeverything, product AFFiNE, specifically all versions up to and including 0.26.3. The issue affects the Public Markdown Preview component of the application. Users running these versions should review the version number and consider upgrades.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability can be exploited remotely by sending crafted requests to the preview endpoint. Since the exploit is publicly available and the vendor has not responded, the risk of attack is present, especially for deployments that expose the preview endpoint to untrusted networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

toeverything

AFFiNE

affected

Version	Status	Constraints
`0.26.0`	affected	—
`0.26.1`	affected	—
`0.26.2`	affected	—
`0.26.3`	affected	—

No data.

Vendor Product Confidence Versions

Affine

95%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Toeverything

Affine

100%

Version	Status	Scheme	Platform
`0.26.0`	affected	semver	—
`0.26.1`	affected	semver	—
`0.26.2`	affected	semver	—
`0.26.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade AffiNE to a version that contains the fix for the allowDocPreview authorization bypass.
Disable or restrict the Public Markdown Preview endpoint for unauthenticated users, for example by configuring the web server or an application firewall to block access to /workspace/:workspaceId/:docId from untrusted sources.
Ensure that server‑side code performing the preview operation includes a proper authorization check before returning the document content.

Generated by OpenCVE AI on May 3, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4
https://vuldb.com/submit/804455
https://vuldb.com/vuln/360871
https://vuldb.com/vuln/360871/cti

History

Sun, 03 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Toeverything Toeverything affine
Vendors & Products		Toeverything Toeverything affine

Sun, 03 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization
First Time appeared		Affine Affine affine
Weaknesses		CWE-285 CWE-639
CPEs		cpe:2.3:a:affine:affine::::::::
Vendors & Products		Affine Affine affine
References		https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4 https://vuldb.com/submit/804455 https://vuldb.com/vuln/360871 https://vuldb.com/vuln/360871/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Affine Affine

Toeverything Affine

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-03T15:45:10.969Z

Updated: 2026-05-03T15:45:10.969Z

Reserved: 2026-05-02T20:34:33.828Z

Link: CVE-2026-7702

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-03T16:15:57.937

Modified: 2026-05-03T16:15:57.937

Link: CVE-2026-7702

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-03T19:30:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object