Bug 2498132 (CVE-2026-59262) - CVE-2026-59262 AFFiNE: AFFiNE: Information disclosure via histories GraphQL field
Summary: CVE-2026-59262 AFFiNE: AFFiNE: Information disclosure via histories GraphQL f...
Keywords:
Status: NEW
Alias: CVE-2026-59262
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-08 16:02 UTC by OSIDB Bzimport
Modified: 2026-07-10 12:22 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-08 16:02:35 UTC
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.


Note You need to log in before you can comment on or make changes to this bug.