IDOR Vulnerability in Comet Backup Affects Multiple Versions
CVE-2026-29200

9.9CRITICAL

Key Information:

Vendor: Webpros
Status: Comet Backup
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-29200?

A critical IDOR vulnerability has been identified in Comet Backup that affects several versions. This security flaw enables a tenant administrator to impersonate end-user accounts from other tenants on the same server by exploiting a vulnerable API call. This can lead to unauthorized access and compromise user data, thus posing significant risks to the integrity and confidentiality of tenant environments.

Affected Version(s)

Comet Backup 20.11.0 < 26.1.2

Comet Backup 26.2.0 < 26.2.2

References

https://support.cometbackup.com/hc/en-us/articles/4009094...

CVSS V4

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29200 Data

JSON

Webpros

What is CVE-2026-29200?

Affected Version(s)

References

CVSS V4

Timeline