CVE-2026-7145
Deferred Deferred - Pending Action
Authorization Bypass in Mettle Sendportal Invitation Handler

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: VulDB

Description
A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7145
EUVD
EUVD-2026-25896
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mettle sendportal to 3.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can impact you by allowing unauthorized deletion of invitation records from workspaces you do not own. An attacker who exploits this flaw can remove invitations from other users' workspaces, potentially disrupting collaboration or access management.

Since the attack can be initiated remotely and requires only limited privileges (workspace owner), it poses a moderate risk of unauthorized data manipulation within the application.

Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Sendportal application, specifically in the destroy() method of the WorkspaceInvitationsController. It allows a user who owns one workspace to delete invitation records belonging to other workspaces without proper authorization checks.

The issue arises because the destroy() method deletes an invitation without verifying that the invitation belongs to the user's current workspace. Although middleware ensures the user owns their current workspace, it does not check if the invitation being deleted is part of that workspace. This allows an attacker to manipulate the invitation argument and bypass authorization.

Detection Guidance

This vulnerability is an authorization bypass in the destroy() method of the WorkspaceInvitationsController in the Sendportal application, allowing deletion of invitations from other workspaces without proper ownership checks.

To detect exploitation attempts or presence of this vulnerability, you can monitor HTTP DELETE requests to the invitation deletion endpoint and verify if invitations from other workspaces are being deleted.

Since the vulnerability arises from missing ownership verification in the application code, detection on the network level involves inspecting API calls that delete invitations and checking if the invitation IDs belong to the current user's workspace.

  • Use web server or application logs to identify DELETE requests to the invitations endpoint (e.g., DELETE /workspaces/invitations/{invitation_id}).
  • Query the database to check if invitations are being deleted that do not belong to the authenticated user's workspace.
  • Example command to check logs for DELETE requests (assuming Apache logs): `grep "DELETE /workspaces/invitations/" /var/log/apache2/access.log`
  • Example SQL query to find invitations deleted without matching workspace ownership: `SELECT * FROM invitations WHERE id NOT IN (SELECT invitation_id FROM audit_log WHERE user_workspace_id = invitations.workspace_id);` (adjust based on your audit logging schema).
Mitigation Strategies

The immediate mitigation is to add an ownership verification check in the destroy() method of the WorkspaceInvitationsController to ensure that the invitation being deleted belongs to the authenticated user's current workspace.

Specifically, modify the destroy() method to abort the request with a 404 error if the invitation's workspace_id does not match the current user's workspace ID.

  • Implement the following code fix in app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php:
  • ```php public function destroy(Invitation $invitation): RedirectResponse { abort_unless($invitation->workspace_id === auth()->user()->currentWorkspace()->id, 404); $invitation->delete(); return redirect()->route('users.index'); } ```

Until the fix is applied, restrict access to the invitation deletion functionality to trusted users only and monitor deletion activities closely.

Compliance Impact

This vulnerability allows an authorization bypass that enables a user to delete invitation records belonging to other workspaces without proper access control.

Such unauthorized access and manipulation of data could lead to violations of data protection principles required by standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

By failing to properly verify ownership before deleting invitations, the system risks unauthorized data modification, which can compromise data integrity and confidentiality, potentially resulting in non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart