Cross-Tenant Authorization Bypass in Biloop by Adisss
CVE-2026-12686

9.3CRITICAL

Key Information:

Vendor

Adiss

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-12686?

An authenticated user in Biloop may exploit a flaw in the application's handling of company ID parameters. By manipulating a specific parameter in a POST request, the malicious actor gains unauthorized access to other companies' data within the same subdomain. This vulnerability arises from insufficient verification of the company ID against the user's session, leading to potential exposure of sensitive information, including customer billing data, and the risk of unauthorized modifications to third-party data.

Affected Version(s)

Biloop 6.1.1

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jean-Michel Junod
.