PatchSiren cyber security CVE debrief
CVE-2026-40127 OutSystems CVE debrief
OutSystems Lifetime contains an authorization bypass vulnerability (CWE-639) in the ApplicationID parameter. Any authenticated user can read the Change Log containing actions performed by other users, as well as the application name of any application. The vulnerability was fixed in OutSystems Lifetime version 11.28.2.3955.
- Vendor
- OutSystems
- Product
- Lifetime
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations using OutSystems Lifetime for application lifecycle management, particularly those with multi-tenant environments or strict data segregation requirements between development teams.
Technical summary
The vulnerability exists in the ApplicationID parameter handling within OutSystems Lifetime. Insufficient authorization checks allow any authenticated user to manipulate this parameter to access Change Log entries belonging to other users and retrieve application names without proper access controls. The fix in version 11.28.2.3955 implements proper authorization validation on the ApplicationID parameter.
Defensive priority
medium
Recommended defensive actions
- Upgrade OutSystems Lifetime to version 11.28.2.3955 or later
- Review access logs for unauthorized Change Log access by authenticated users
- Audit ApplicationID parameter handling for additional authorization controls
- Validate that authenticated users can only access Change Log entries for applications they are authorized to manage
Evidence notes
CVE published 2026-05-25; modified 2026-05-26. Fix version 11.28.2.3955 confirmed by vendor reference. CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and low confidentiality impact.
Official resources
2026-05-25