CVE-2026-5022

Medium CVSS: 6.3

The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.

Vendor

Product

CWE

CWE-862

Yayın Tarihi

2026-03-27 15:17:04

Güncelleme

2026-03-30 13:26:29

Source Identifier

vulnreport@tenable.com

KEV Date Added

Kategoriler

CWE-862 MEDIUM 2026

Referanslar

https://www.tenable.com/security/research/tra-2026-23