PatchSiren cyber security CVE debrief
CVE-2026-11369 linqi GmbH CVE debrief
CVE-2026-11369 is an Insecure Direct Object Reference (IDOR) vulnerability in the Comment API of an affected application. The vulnerability, with a CVSS score of 7.1 and HIGH severity, allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID. The CVE was published on 2026-06-05T14:16:35.657Z and last modified on 2026-06-05T16:07:31.547Z.
- Vendor
- linqi GmbH
- Product
- linqi
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Security teams and administrators of the affected application should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The Comment API (GET /api/Comment and POST /api/Comment) fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the IDOR vulnerability.
- Implement proper authorization checks in the Comment API to ensure that users can only access and modify comments for objects they have permission to access.
Evidence notes
The CVE record and details were obtained from the official CVE.org and NVD sources.
Official resources
-
CVE-2026-11369 CVE record
CVE.org
-
CVE-2026-11369 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
86c47df7-7d28-48da-920a-6423c52fd3da
CVE-2026-11369 was published on 2026-06-05T14:16:35.657Z and last modified on 2026-06-05T16:07:31.547Z.