CRITICALCVE-2026-29200Published 2026-05-04Modified 2026-05-04CNA hackerone

CVE-2026-29200: A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

CVSS v4.0: 9.9
Severity: CRITICAL
Fixed in: 26.1.2
Affected Products: 1

Fix available

26.1.226.2.2

Affected packages

WebPros / Comet Backup
< 26.1.2 (from 20.11.0) · < 26.2.2 (from 26.2.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H

References

support.cometbackup.com

Metrics

Fix available