CVE-2026-53673
Received Received - Intake
Insecure Direct Object Reference in BuddyPress Messages REST API

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-53673
EUVD
EUVD-2026-35877
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
buddypress buddypress to 14.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53673 is a high-severity vulnerability in BuddyPress version 14.4.0 and earlier that involves an insecure direct object reference (IDOR) in the messages REST API.

This vulnerability allows authenticated attackers to access private message threads of other users by supplying a different user_id parameter in the API request.

The root cause is that the get_item_permissions_check method validates the user_id parameter against the supplied value instead of the logged-in user's ID, and this flawed validation is reused by the update and delete handlers.

As a result, attackers can read, reply to, or delete any user's private messages without proper authorization.

Impact Analysis

This vulnerability can have serious impacts on users and site administrators.

  • Attackers who are authenticated can access private messages of other users, compromising user privacy.
  • Attackers can reply to messages on behalf of other users, potentially spreading misinformation or malicious content.
  • Attackers can delete private messages of other users, leading to loss of important communications.

Overall, this vulnerability undermines the confidentiality and integrity of private communications within the BuddyPress platform.

Compliance Impact

The provided context and resources do not contain any information regarding the impact of CVE-2026-53673 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart