CVE-2026-11369EPSS p10.8%

CVE-2026-11369CVE-2026-11369

Description

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

Scoring

EPSS0.21% probability of exploitation · percentile 10.8% · 2026-06-18T12:00:27Z
Last modified2026-06-05

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6356
CVE
CVE-2025-45968
CVE
CVE-2026-48904
CVE
CVE-2026-23899
CVE
CVE-2026-25197
CVE
CVE-2026-2697
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.