PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53536 activepieces CVE debrief

CVE-2026-53536 is a vulnerability in the Activepieces open source AI workflow automation platform. Prior to version 0.83.0, the /v1/step-files/signed download endpoint did not properly verify the token's audience and lacked a null-check on the decoded fileId, allowing any caller with a valid Activepieces JWT to receive a step-file belonging to another tenant. This issue allows for unauthorized access to sensitive information, with a CVSS score of 5.3 and a MEDIUM severity level.

Vendor
activepieces
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Activepieces AI workflow automation platform, especially those hosting the platform and managing multiple tenants, should be aware of this vulnerability and take steps to ensure their instances are updated to version 0.83.0 or later. This includes reviewing and monitoring access to the /v1/step-files/signed download endpoint and implementing additional security measures to protect sensitive information.

Technical summary

The vulnerability exists in the /v1/step-files/signed download endpoint of Activepieces. The endpoint verifies the supplied JWT against the shared signing secret but fails to check the token's audience. Additionally, a missing null-check on the decoded fileId allows any caller holding a valid Activepieces JWT to access step-files belonging to other tenants. The vulnerability is fixed in version 0.83.0, and users should update their instances to prevent exploitation.

Defensive priority

Medium priority due to the CVSS score of 5.3 and the potential for unauthorized access to sensitive information.

Recommended defensive actions

  • Update Activepieces instances to version 0.83.0 or later
  • Review and monitor access to the /v1/step-files/signed download endpoint
  • Implement additional security measures to protect sensitive information
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-16T19:16:50.240Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that the vulnerability affects Activepieces instances prior to version 0.83.0, and defenders should verify instance versions and update or patch as necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:50.240Z and has not been modified since then.