CVE-2026-34905

Analyzed Analyzed - Analysis Complete

Exposure of Sensitive Information in Apache Answer

Publication date: 2026-06-09

Last updated on: 2026-06-10

Assigner: Apache Software Foundation

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-10

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-34905

EUVD

EUVD-2026-35372

Affected Vendors & Products

Vendor	Product	Version / Range
apache	answer	to 2.0.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-200	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

Executive Summary

This vulnerability in Apache Answer versions through 2.0.0 involves the unlisted question feature not enforcing proper access restrictions on direct API endpoints.

As a result, authenticated users could discover and access unlisted questions along with their answers, comments, and revision history, which should have been restricted.

Impact Analysis

The vulnerability can lead to unauthorized exposure of sensitive or private information contained in unlisted questions and their associated data.

This exposure could compromise confidentiality and privacy by allowing users who should not have access to view or retrieve sensitive content.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Answer to version 2.0.1, which fixes the issue.

Compliance Impact

The vulnerability involves exposure of sensitive information to unauthorized actors by allowing authenticated users to access unlisted questions and related data without proper access restrictions.

Such exposure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory consequences.

Detection Guidance

To detect this vulnerability on your system, you should check if your Apache Answer installation is running a version through 2.0.0, as these versions are affected.

Since the vulnerability involves unauthorized access to unlisted questions via direct API endpoints, you can attempt to access these endpoints with an authenticated user to see if unlisted questions, answers, comments, or revision history are accessible.

A practical approach is to use command-line tools like curl to test API endpoints for unlisted questions while authenticated.

Authenticate with your Apache Answer instance and use curl to request unlisted question API endpoints, for example: curl -H "Authorization: Bearer <token>" https://your-apache-answer-instance/api/unlisted-questions/<id>
Check if the response includes unlisted questions or related sensitive information that should be restricted.

If unlisted questions are accessible without proper restrictions, your system is vulnerable.

The recommended fix is to upgrade Apache Answer to version 2.0.1 or later.

Hi! I’m here to help you understand CVE-2026-34905. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70