Can you explain this vulnerability to me?

CVE-2026-29200 is a critical Insecure Direct Object Reference (IDOR) vulnerability found in Comet Backup versions from 20.11.0 to 26.1.1 and 26.2.1.

This vulnerability allows a tenant administrator to impersonate any end-user account belonging to other tenants on the same server by exploiting a vulnerable API call.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows tenant administrators to impersonate end-user accounts of other tenants on the same server, leading to unauthorized access to sensitive data.

Such unauthorized access and potential data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, if exploited, this vulnerability could lead to violations of these standards due to failure to adequately protect user data and prevent unauthorized access.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can lead to cross-tenant account takeover, meaning a tenant administrator could impersonate users from other tenants on the same server.

This could result in unauthorized access to sensitive data and actions performed on behalf of other users, potentially compromising confidentiality and integrity.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate the critical IDOR vulnerability in Comet Backup, you should update your self-hosted Comet Backup instances to version 26.1.2, 26.2.2, or higher.

If you are using Comet Hosted servers, no action is required as they have already been upgraded.

Useful 0 Not Useful 0