HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11369Published Modified CNA linqi

CVE-2026-11369: IDOR in Comment API Allows Cross-Process Comment Read and Write

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An insecure direct object reference (IDOR) flaw in the Comment API of linqi (versions up to and including 1.4.8.5) allows any authenticated user to read or write comments on any process object across all business units by supplying an arbitrary object GUID in requests to GET /api/Comment and POST /api/Comment. The API performs no authorization check to confirm the requesting user has permission to access the target object, so a low-privilege account is sufficient to reach comments belonging to other users or business units. Successful exploitation gives an attacker full read access to potentially sensitive process comments and the ability to inject or tamper with comment data across the application. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-11369 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images derived from affected linqi versions.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (High) and surfaces it with that severity weighting inside each customer environment; per-environment compliance policy rules can further elevate its priority and route the finding to the appropriate team inbox for review.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment linqi ships a remediated release. In the interim, customers receive the open finding in their dashboard with compensating-control guidance to apply while the upstream patch is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The Comment API is exposed over the network, so the attacker must be able to reach the application's HTTP endpoint remotely.

  • AuthenticationRequired

    Any low-privilege account is sufficient; no elevated or administrative credentials are needed to exploit the missing authorization check.

  • Victim interactionNot required

    No victim action is needed; the attacker sends crafted API requests directly without requiring another user to click, open, or approve anything.

  • Attack complexityDetail

    Exploit complexity is low: the attack requires only knowledge of or the ability to guess a valid object GUID, with no race conditions or special environmental setup needed.

Blast Radius

  • Reads all comments attached to any process object across every business unit by substituting arbitrary GUIDs in GET /api/Comment requests, potentially exposing internal workflow discussions and sensitive operational details.
  • Writes or injects arbitrary comment content onto any process object via POST /api/Comment, corrupting audit trails, misleading other users, or embedding false instructions in business process records.
  • Enumerates internal process GUIDs through repeated API calls, mapping the structure of business objects and units that the attacker's own account has no legitimate access to.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published by linqi. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as an upstream fix is released; for customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While the fix is pending, HarborGuard surfaces the open finding in the customer dashboard and supports compensating-control approaches: network-policy isolation restricting access to the Comment API endpoints to known internal CIDR ranges, egress filtering to limit lateral API exposure, and feature-flag or WAF-level gating on the affected GET and POST /api/Comment routes. Customers whose compliance policies flag High-severity unpatched CVEs for escalation will have this finding routed automatically to the configured owner inbox.

See how HarborGuard automates this
Affected packages
  • linqi GmbH / linqi
    ≤ 1.4.8.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
References