How is CVE-2026-50875 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the Deck9 Input service via HTTP/HTTPS. Authentication (required): The attacker must hold a valid low-privilege account; no administrative or elevated role is needed beyond basic authentication. Victim interaction (not-required): No action from another user or tenant is required to complete the attack. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors beyond network access and a valid credential.

What is the impact of CVE-2026-50875?

The attacker can modify webhook configurations belonging to any other tenant, redirecting form submission events to an attacker-controlled endpoint or altering integration behavior. The attacker can delete another tenant's webhooks entirely, silently breaking downstream integrations and event-driven workflows without the victim tenant receiving immediate notice. Persistent webhook tampering can cause ongoing data-routing failures or silent data loss for affected tenants until the configuration is manually audited and restored.

Back to search

HIGHCVE-2026-50875Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50875: Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2

Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an incorrect access control vulnerability (also called broken object-level authorization) in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1. It is reachable over the network and requires a low-privilege account, but no special permissions beyond that. A successful attacker can arbitrarily modify or delete webhook configurations belonging to other tenants in the same deployment. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-50875 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Deck9 Input v2.0.1. Coverage applies to both registry scans and inline pipeline scans at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (High) and weighting findings against each environment's compliance policy to surface the result in the appropriate team inbox. Per-environment policy rules can escalate or suppress routing based on workload sensitivity and tenant isolation requirements.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the Deck9 Input service via HTTP/HTTPS.
AuthenticationRequired
The attacker must hold a valid low-privilege account; no administrative or elevated role is needed beyond basic authentication.
Victim interactionNot required
No action from another user or tenant is required to complete the attack.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental factors beyond network access and a valid credential.

Blast Radius

The attacker can modify webhook configurations belonging to any other tenant, redirecting form submission events to an attacker-controlled endpoint or altering integration behavior.
The attacker can delete another tenant's webhooks entirely, silently breaking downstream integrations and event-driven workflows without the victim tenant receiving immediate notice.
Persistent webhook tampering can cause ongoing data-routing failures or silent data loss for affected tenants until the configuration is manually audited and restored.

How HarborGuard Handles This

Available on HarborGuard: scanning capability for CVE-2026-50875 is active and will flag any image found to include Deck9 Input v2.0.1 in both registry and pipeline contexts. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, compensating controls worth considering include network-policy rules that restrict which identities can reach the /{form}/webhooks/{webhook} endpoint, egress filtering to limit where webhook payloads can be delivered, and object-level authorization enforcement applied at an API gateway layer in front of the service. For customers with auto-remediation enabled, the full rebuild-and-PR flow will activate automatically once an upstream patch is available, with no manual trigger required.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

gist.github.com

Metrics

Get notified