Insecure Direct Object Reference in Wimi Teamwork On-Premises
CVE-2026-35023

5.3MEDIUM

Key Information:

Vendor: Cloud Solutions Sas
Status: Wimi Teamwork
Vendor: CVE Published:; 8 April 2026

🔔 Create Cloud Solutions Sas Vulnerability Alert

What is CVE-2026-35023?

The Wimi Teamwork On-Premises product versions before 8.2.0 suffer from a vulnerability in the preview.php endpoint. The issue arises from inadequate authorization checks on the item_id parameter, allowing attackers to sequentially enumerate item_id values. This weak control enables unauthorized users to access and retrieve image previews from private or group conversations of other users, leading to a breach of sensitive information.

Affected Version(s)

Wimi Teamwork 0 < 8.2.0

References

https://www.wimi-teamwork.com/en/product-update

release-notespatch

https://www.vulncheck.com/advisories/wimi-teamwork-on-pre...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Noa Tchoumak

VulnCheck

CVE-2026-35023 Data

JSON