A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
The vulnerability results from insufficient permission verification in a specific API call (CWE-639 — Authorization Bypass Through User-Controlled Key). An attacker with tenant administrator privileges can manipulate object identifiers in the API request in such a way that the system accepts their identity as another user belonging to a separate tenant. No victim interaction or special network conditions are required — the attack is possible remotely over the network.
An attacker can fully impersonate any user account of other tenants on the same server, gaining access to their data and potentially modifying their resources. This constitutes a serious breach of multi-tenant environment isolation and may lead to customer data leakage or loss.
Patches available from the vendor should be applied according to the references — detailed information about the patched version is available in the Comet Backup technical support article at the address indicated in the CVE references
Comet Backup in all versions from 20.11.0 to 26.1.1 and version 26.2.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X