CVE-2026-56767
Deferred Deferred - Pending Action
Maxun Cross-Tenant IDOR Exposes User Robots and Tokens

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56767
EUVD
EUVD-2026-39517
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
maxun maxun 0.0.42
maxun maxun to 0.0.42 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to access other users' robots and OAuth tokens, including reading plaintext Google and Airtable access tokens, and modifying, deleting, or executing other users' robots by bypassing ownership checks. This unauthorized access to sensitive personal and authentication data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal data access and processing.

Specifically, the exposure of OAuth tokens and cross-tenant data access represents a failure in access control and data isolation, which are critical for compliance with standards that mandate confidentiality, integrity, and proper authorization of personal and sensitive information.

Detection Guidance

This vulnerability involves authenticated users being able to access other users' robots and OAuth tokens by bypassing ownership checks in API endpoints. Detection would involve monitoring API requests for unauthorized access patterns, such as requests where a user accesses or modifies robots or tokens that do not belong to them.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade Maxun to version 0.0.42 or later, where the issue has been fixed by enforcing strict authentication and authorization checks.

The fix includes ensuring all API endpoints reject unauthenticated requests with a 401 error, constraining database queries by user ID to isolate user-specific data, and enforcing user-scoped authorization in robot and run retrieval, modification, and duplication endpoints.

Additionally, validate webhook URLs to prevent SSRF attacks and improve error handling to avoid exposing unauthorized data.

Executive Summary

This vulnerability exists in Maxun versions before 0.0.42 and is a cross-tenant insecure direct object reference issue in the storage and webhook API handlers.

It allows authenticated users to access other users' robots and OAuth tokens by bypassing ownership checks in API endpoints.

Attackers can read plaintext Google and Airtable access tokens, as well as modify, delete, or execute other users' robots.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive OAuth tokens and control over other users' robots.

Attackers can read sensitive access tokens in plaintext, which may lead to further compromise of linked services such as Google and Airtable.

They can also modify, delete, or execute robots belonging to other users, potentially disrupting operations or causing data loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart