CRITICAL🇵🇱 Wersja polska

CVE-2026-29200

CVSS 9.9v4.0pub. 2026-05-04upd. 2026-05-06

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.

🤖 AI Analysis
How it works

The vulnerability results from insufficient permission verification in a specific API call (CWE-639 — Authorization Bypass Through User-Controlled Key). An attacker with tenant administrator privileges can manipulate object identifiers in the API request in such a way that the system accepts their identity as another user belonging to a separate tenant. No victim interaction or special network conditions are required — the attack is possible remotely over the network.

Impact

An attacker can fully impersonate any user account of other tenants on the same server, gaining access to their data and potentially modifying their resources. This constitutes a serious breach of multi-tenant environment isolation and may lead to customer data leakage or loss.

Mitigation & patch

Patches available from the vendor should be applied according to the references — detailed information about the patched version is available in the Comet Backup technical support article at the address indicated in the CVE references

Who is affected

Comet Backup in all versions from 20.11.0 to 26.1.1 and version 26.2.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
IDOR
CWE
References