Cross-Tenant Authorization Bypass in Biloop by Adisss
CVE-2026-12686
9.3CRITICAL
What is CVE-2026-12686?
An authenticated user in Biloop may exploit a flaw in the application's handling of company ID parameters. By manipulating a specific parameter in a POST request, the malicious actor gains unauthorized access to other companies' data within the same subdomain. This vulnerability arises from insufficient verification of the company ID against the user's session, leading to potential exposure of sensitive information, including customer billing data, and the risk of unauthorized modifications to third-party data.
Affected Version(s)
Biloop 6.1.1
