CVE-2026-3321
Deferred Deferred - Pending Action
Authorization Bypass in Console-Survey API Exposes Sensitive Data

Publication date: 2026-03-30

Last updated on: 2026-05-19

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3321
EUVD
EUVD-2026-17084
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
on24 engagement_platform *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring and testing access to the endpoint `console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/` for unauthorized access attempts.

Specifically, you can attempt to enumerate event IDs and timestamps by sending HTTP requests to this endpoint without authentication to check if the Q&A chat history is accessible.

For example, you can use curl commands to test the endpoint:

  • curl -i -X GET "https://<target-domain>/console-survey/api/v1/answer/1/1234567890/"
  • curl -i -X GET "https://<target-domain>/console-survey/api/v1/answer/2/1234567890/"

By iterating over possible EVENTID and TIMESTAMP values, you can check if the server returns sensitive Q&A data without requiring authentication, indicating the presence of the vulnerability.

Executive Summary

CVE-2026-3321 is a high-severity authorization bypass vulnerability in the ON24 engagement platform's Q&A chat feature. It exists in the endpoint 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' and allows an unauthenticated attacker to manipulate a user-controlled key to bypass authorization.

By exploiting this flaw, an attacker can enumerate event IDs and retrieve the complete Q&A chat history, which includes sensitive data such as IDs, private URLs, private messages, and internal references that should only be accessible to authenticated users.

This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and can be used to facilitate further malicious activities like reconnaissance for lateral movement, exploitation of related systems, or unauthorized access to internal applications referenced in the chat messages.

Impact Analysis

This vulnerability can have serious impacts by exposing sensitive and private information from the Q&A chat history to unauthorized users.

  • An attacker can obtain IDs, private URLs, private messages, and internal references that should be restricted.
  • The leaked information can be used for reconnaissance to move laterally within a network.
  • It can lead to exploitation of related systems or unauthorized access to internal applications referenced in the chat content.
Mitigation Strategies

No solution or patch has been reported at this time for this vulnerability.

Due to the lack of an official fix, immediate mitigation steps are not specified in the available information.

Compliance Impact

This vulnerability allows unauthorized access to sensitive information such as IDs, private URLs, private messages, and internal references that should only be accessible to authenticated users.

The exposure of such sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

By enabling unauthorized data disclosure, the vulnerability increases the risk of data breaches, which can result in regulatory penalties and harm to affected individuals.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart