Executive Summary

CVE-2026-50875 is a vulnerability in Deck9 Input version 2.0.1 that allows authenticated users to modify or delete webhooks belonging to other tenants or forms without proper authorization.

The issue occurs because the application checks authorization based on the parent form in the URL path, but the webhook object being modified is resolved independently without verifying it belongs to that form.

As a result, an attacker who knows the identifier of a webhook can send a crafted request to update or delete that webhook, even if they do not own the parent form, leading to unauthorized changes across different forms.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to arbitrarily modify or delete webhooks that belong to other tenants or forms.

Such unauthorized modifications can lead to loss of webhook integrity, potentially causing disruption in automated workflows, data processing, or notifications that rely on these webhooks.

Attackers could redirect, disable, or delete webhooks, which might result in missed or altered data transmissions and could affect the reliability and security of your system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious API requests targeting the endpoint pattern `forms/{form}/webhooks/{webhook}` where an authenticated user attempts to modify or delete webhooks that do not belong to their authorized form.

Specifically, detection involves identifying PUT or DELETE HTTP requests to the `/forms/{form}/webhooks/{webhook}` endpoint where the `{form}` parameter belongs to the authenticated user but the `{webhook}` parameter corresponds to a webhook owned by a different tenant.

Suggested commands to detect such activity include using network traffic inspection tools or web server logs to filter for these requests. For example, using `grep` on access logs to find suspicious webhook modification attempts:

• grep -E 'PUT|DELETE' /var/log/nginx/access.log | grep '/forms/.*/webhooks/.*'
• Use tools like Wireshark or tcpdump to capture HTTP traffic and filter for requests to `/forms/` and `/webhooks/` endpoints.
• Implement application-level logging to record authenticated user IDs, requested form IDs, and webhook IDs for all webhook modification requests, then audit for mismatches.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and ensuring proper authorization checks are in place.

Specifically, verify that the webhook being modified or deleted actually belongs to the authenticated user's authorized form before allowing any mutation.

Until a patch or fix is applied, consider the following actions:

• Restrict access to the `/forms/{form}/webhooks/{webhook}` endpoint to only trusted users or IP addresses.
• Implement additional application-level validation to cross-check ownership of the webhook against the form before processing requests.
• Monitor logs for suspicious webhook modification or deletion attempts and respond promptly.
• Contact the vendor or maintainers of Deck9 Input for patches or updates addressing this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Deck9 Input v2.0.1 allows authenticated attackers to modify or delete webhooks belonging to other tenants without proper authorization. This incorrect access control can lead to unauthorized data manipulation and potential data integrity issues.

Such unauthorized access and modification of data could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data to prevent unauthorized disclosure, alteration, or deletion.

By enabling attackers to alter or delete webhooks of other tenants, this vulnerability may lead to violations of data protection principles, increasing the risk of non-compliance with these regulations.

Useful 0 Not Useful 0