CVE-2026-53536
Received Received - Intake

Activepieces JWT Access to Arbitrary Tenant Files

Vulnerability report for CVE-2026-53536, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Activepieces is an open source AI workflow automation platform. Prior to 0.83.0, the /v1/step-files/signed download endpoint verified the supplied JWT against the shared signing secret but did not check the token's audience, and combined with a missing null-check on the decoded fileId, this allowed any caller holding any valid Activepieces JWT (including a freshly created user's own access token) to receive a step-file belonging to another tenant. The file returned was whatever PostgreSQL happened to scan first for type = FLOW_STEP_FILE, varying over time as the database changed, so an authenticated user could obtain step-file attachments belonging to other tenants on the same instance; the attacker could not target a specific victim or file, and the access was read-only with no integrity or availability impact. This issue is fixed in version 0.83.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
activepieces activepieces 0.83.0
activepieces activepieces to 0.83.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Activepieces versions before 0.83.0 allows authenticated users to download files belonging to other tenants. The /v1/step-files/signed endpoint did not verify the JWT token's audience, and a missing null-check on fileId meant any valid JWT could retrieve arbitrary step-files from the database. The returned file was random and not targetable, with no integrity or availability impact.

Detection Guidance

To detect this vulnerability, check if your Activepieces instance is running a version prior to 0.83.0. Use commands like 'curl -s https://your-activepieces-instance.com/api/version' or inspect the version in the admin dashboard. Monitor logs for unauthorized access attempts to the /v1/step-files/signed endpoint.

Impact Analysis

An attacker with a valid JWT could access step-file attachments belonging to other users on the same instance. While they cannot target specific files, they may collect random files over time. The impact is limited to read-only access with no data modification or deletion possible.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, potentially violating GDPR's data protection principles or HIPAA's confidentiality requirements. Unauthorized access to tenant files may result in compliance breaches depending on the data involved.

Mitigation Strategies

Upgrade Activepieces to version 0.83.0 or later immediately. As a temporary workaround, block the /v1/step-files/signed endpoint at your reverse proxy until upgrading. Ensure no sensitive files are exposed by reviewing access logs for unusual activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart