PatchSiren cyber security CVE debrief
CVE-2026-53536 activepieces CVE debrief
CVE-2026-53536 is a vulnerability in the Activepieces open source AI workflow automation platform. Prior to version 0.83.0, the /v1/step-files/signed download endpoint did not properly verify the token's audience and lacked a null-check on the decoded fileId, allowing any caller with a valid Activepieces JWT to receive a step-file belonging to another tenant. This issue allows for unauthorized access to sensitive information, with a CVSS score of 5.3 and a MEDIUM severity level.
- Vendor
- activepieces
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Activepieces AI workflow automation platform, especially those hosting the platform and managing multiple tenants, should be aware of this vulnerability and take steps to ensure their instances are updated to version 0.83.0 or later. This includes reviewing and monitoring access to the /v1/step-files/signed download endpoint and implementing additional security measures to protect sensitive information.
Technical summary
The vulnerability exists in the /v1/step-files/signed download endpoint of Activepieces. The endpoint verifies the supplied JWT against the shared signing secret but fails to check the token's audience. Additionally, a missing null-check on the decoded fileId allows any caller holding a valid Activepieces JWT to access step-files belonging to other tenants. The vulnerability is fixed in version 0.83.0, and users should update their instances to prevent exploitation.
Defensive priority
Medium priority due to the CVSS score of 5.3 and the potential for unauthorized access to sensitive information.
Recommended defensive actions
- Update Activepieces instances to version 0.83.0 or later
- Review and monitor access to the /v1/step-files/signed download endpoint
- Implement additional security measures to protect sensitive information
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-16T19:16:50.240Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence limits suggest that the vulnerability affects Activepieces instances prior to version 0.83.0, and defenders should verify instance versions and update or patch as necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T19:16:50.240Z and has not been modified since then.