CVE-2026-3321
Authorization Bypass in Console-Survey API Exposes Sensitive Data
Publication date: 2026-03-30
Last updated on: 2026-03-30
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| on24 | engagement_platform | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing access to the endpoint `console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/` for unauthorized access attempts.
Specifically, you can attempt to enumerate event IDs and timestamps by sending HTTP requests to this endpoint without authentication to check if the Q&A chat history is accessible.
For example, you can use curl commands to test the endpoint:
- curl -i -X GET "https://<target-domain>/console-survey/api/v1/answer/1/1234567890/"
- curl -i -X GET "https://<target-domain>/console-survey/api/v1/answer/2/1234567890/"
By iterating over possible EVENTID and TIMESTAMP values, you can check if the server returns sensitive Q&A data without requiring authentication, indicating the presence of the vulnerability.
Can you explain this vulnerability to me?
CVE-2026-3321 is a high-severity authorization bypass vulnerability in the ON24 engagement platform's Q&A chat feature. It exists in the endpoint 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' and allows an unauthenticated attacker to manipulate a user-controlled key to bypass authorization.
By exploiting this flaw, an attacker can enumerate event IDs and retrieve the complete Q&A chat history, which includes sensitive data such as IDs, private URLs, private messages, and internal references that should only be accessible to authenticated users.
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and can be used to facilitate further malicious activities like reconnaissance for lateral movement, exploitation of related systems, or unauthorized access to internal applications referenced in the chat messages.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by exposing sensitive and private information from the Q&A chat history to unauthorized users.
- An attacker can obtain IDs, private URLs, private messages, and internal references that should be restricted.
- The leaked information can be used for reconnaissance to move laterally within a network.
- It can lead to exploitation of related systems or unauthorized access to internal applications referenced in the chat content.
What immediate steps should I take to mitigate this vulnerability?
No solution or patch has been reported at this time for this vulnerability.
Due to the lack of an official fix, immediate mitigation steps are not specified in the available information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to sensitive information such as IDs, private URLs, private messages, and internal references that should only be accessible to authenticated users.
The exposure of such sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
By enabling unauthorized data disclosure, the vulnerability increases the risk of data breaches, which can result in regulatory penalties and harm to affected individuals.