PatchSiren cyber security CVE debrief
CVE-2026-12213 hcengineering CVE debrief
A vulnerability was found in hcengineering Huly Platform up to 0.7.0. The function getAccountInfo of the file server/account/src/operations.ts, which handles user information, is affected by improper authorization. This vulnerability can be exploited remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond.
- Vendor
- hcengineering
- Product
- Huly Platform
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of hcengineering Huly Platform up to version 0.7.0 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by improper authorization in the getAccountInfo function of the server/account/src/operations.ts file. This allows an attacker to manipulate user information.
Defensive priority
LOW
Recommended defensive actions
- Update to a version of Huly Platform that is not vulnerable.
- Implement additional authorization checks for the getAccountInfo function.
Evidence notes
The CVE record was obtained from the official CVE website. Additional information was obtained from Vuldb.
Official resources
CVE-2026-12213 was published on 2026-06-15T04:16:25.780Z and has not been modified since then.