CVE-2026-11369
Deferred Deferred - Pending Action
Comment API IDOR in Process Management System

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: 86c47df7-7d28-48da-920a-6423c52fd3da

Description
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-11369
EUVD
EUVD-2026-34827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linqi onpremise to 1.4.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID, due to missing authorization checks. This Insecure Direct Object Reference (IDOR) flaw could lead to unauthorized access and modification of data.

Such unauthorized access and potential data exposure or modification can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the Comment API of the affected application. Specifically, the API endpoints GET /api/Comment and POST /api/Comment do not perform proper authorization checks to verify if the requesting user has access rights to the object identified by the relatedObjectId.

As a result, any authenticated user can read and write comments on any process across all business units by supplying an arbitrary object GUID, bypassing intended access controls.

Impact Analysis

This vulnerability allows unauthorized access to comment data across all business units within the application. An attacker or malicious user with valid authentication can read and modify comments on any process by using arbitrary object identifiers.

This can lead to unauthorized disclosure of sensitive information, manipulation of comment data, and potential disruption of business processes that rely on comment integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11369. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart