CVE-2026-59262
Received Received - Intake

AFFiNE GraphQL History Exposure via Doc.Read Permission Bypass

Vulnerability report for CVE-2026-59262, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
toeverything affine to 0.26.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in AFFiNE (CVE-2026-59262) occurs because the GraphQL 'histories' field does not properly check if a user has the 'Doc.Read' permission before exposing the edit history of documents.

As a result, any authenticated member of a workspace can supply arbitrary document GUIDs to retrieve the full edit histories of documents, including private pages they do not have permission to access.

The exposed information includes sensitive data such as the names and email addresses of editors and timestamps of their edits.

Compliance Impact

The vulnerability in AFFiNE allows authenticated workspace members to access document edit histories, including sensitive personal information such as user names and email addresses, without proper authorization.

This unauthorized exposure of personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personally identifiable information (PII).

Specifically, the leak of editor names, emails, and timestamps of private documents may violate principles of data minimization and confidentiality mandated by these standards.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information within a workspace.

  • Attackers or unauthorized users can access detailed edit histories of documents they should not see.
  • Exposed data includes user names, email addresses, and timestamps, which can reveal private collaboration patterns.
  • This can compromise privacy and confidentiality of workspace content and user information.
Detection Guidance

This vulnerability can be detected by attempting to query the GraphQL `histories` field with arbitrary document GUIDs while authenticated as a workspace member. If the system returns edit histories including user names, emails, and timestamps for documents the user should not have access to, the vulnerability is present.

A practical detection method is to use a GraphQL query targeting the `histories` field with various document GUIDs and observe if unauthorized document histories are returned.

  • Use a GraphQL client or curl to send a query like: ``` curl -X POST https://your-affine-instance/graphql \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <your_auth_token>' \ -d '{"query": "query { histories(docId: \"<arbitrary-doc-guid>\") { editor { name email } timestamp } }"}' ``` If the response includes edit history for documents you should not access, the vulnerability exists.
Mitigation Strategies

The immediate mitigation step is to upgrade AFFiNE to version 0.26.3 or later, where the vulnerability has been fixed by adding proper `Doc.Read` permission checks to the `histories` GraphQL resolver.

If upgrading is not immediately possible, restrict access to the GraphQL API to trusted users only and monitor for suspicious queries targeting document histories.

Additionally, review and apply any patches or commits related to CVE-2026-59262, such as the fix in commit 1f0bcd0, which enforces authorization checks before exposing document edit histories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59262. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart