CVE-2026-40127
Authorization Bypass in OutSystems Lifetime
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| outsystems | lifetime | 11.28.2.3955 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OutSystems Lifetime involves an Authorization Bypass through the ApplicationID parameter. It allows any authenticated user to access the Change Log, which contains records of actions performed by other users and the names of applications. Essentially, users can view information they should not normally have permission to see.
How can this vulnerability impact me? :
The impact of this vulnerability is that unauthorized users can read sensitive information about other users' actions and application details. This could lead to information disclosure, potentially exposing operational details or user activities that should remain confidential.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OutSystems Lifetime to version 11.28.2.3955 or later, where the issue has been fixed.