CVE-2026-29200
Received Received - Intake
IDOR Vulnerability in Comet Backup Allows Tenant Impersonation

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: HackerOne

Description
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29200
EUVD
EUVD-2026-26893
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
comet_backup comet_backup From 20.11.0 (inc) to 26.1.1 (inc)
comet_backup comet_backup 26.1.2
comet_backup comet_backup 26.2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29200 is a critical Insecure Direct Object Reference (IDOR) vulnerability found in Comet Backup versions from 20.11.0 to 26.1.1 and 26.2.1.

This vulnerability allows a tenant administrator to impersonate any end-user account belonging to other tenants on the same server by exploiting a vulnerable API call.

Impact Analysis

The vulnerability can lead to cross-tenant account takeover, meaning a tenant administrator could impersonate users from other tenants on the same server.

This could result in unauthorized access to sensitive data and actions performed on behalf of other users, potentially compromising confidentiality and integrity.

Mitigation Strategies

To mitigate the critical IDOR vulnerability in Comet Backup, you should update your self-hosted Comet Backup instances to version 26.1.2, 26.2.2, or higher.

If you are using Comet Hosted servers, no action is required as they have already been upgraded.

Compliance Impact

The vulnerability allows tenant administrators to impersonate end-user accounts of other tenants on the same server, leading to unauthorized access to sensitive data.

Such unauthorized access and potential data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, if exploited, this vulnerability could lead to violations of these standards due to failure to adequately protect user data and prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart