Authorization Bypass in Mettle SendPortal Invitation Handler
CVE-2026-7145

5.3MEDIUM

Key Information:

Vendor

Mettle

Status
Sendportal
Vendor
CVE Published:
27 April 2026

What is CVE-2026-7145?

A weakness has been identified in Mettle SendPortal, specifically within the Invitation Handler component located in the destroy function of the WorkspaceInvitationsController.php file. This vulnerability allows attackers to manipulate invitation arguments, resulting in potential unauthorized access. The vulnerability is exploitable remotely, posing a risk to users who rely on this application for managing workspace invitations. Despite being reported to the project maintainers, there has been no response or remediation yet, leaving systems potentially exposed.

Affected Version(s)

sendportal 3.0.0

sendportal 3.0.1

References

https://vuldb.com/vuln/359744
vdb-entrytechnical-description
https://vuldb.com/vuln/359744/cti
signaturepermissions-required
https://vuldb.com/submit/801781
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

B1scuit (VulDB User)
VulDB CNA Team
.