{"vulnerability": "cve-2026-50875", "sightings": [{"uuid": "7ca49480-813f-4919-b516-7c2339dd75f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50875", "type": "seen", "source": "https://gist.github.com/pyuysig/49dbaa25ec20f2258749bdae6ebf0377", "content": "# Vulnerability Report: CVE-2026-50875 - Input - Cross-tenant webhook update and delete IDOR\n\n## Vulnerability Summary\nDeck9 Input 2.0.1 contains an incorrect access control issue in nested form webhook routes. An authenticated user can combine an attacker-controlled form identifier with a victim-owned webhook identifier in update or delete requests, leading to unauthorized modification or deletion of another tenant's webhook.\n\n## Affected Product\n- **Vendor**: Deck9\n- **Product**: Input\n- **Version**: 2.0.1\n- **Vulnerable Component**: forms/{form}/webhooks/{webhook} update/delete endpoints, FormWebhookController, FormWebhookRequest authorization path\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-863\n- **Attack Conditions**: Remote authenticated request to forms/{form}/webhooks/{webhook} using mismatched form and webhook identifiers.\n\n## Report Body\n\n### Summary\nDeck9 Input 2.0.1 contains an incorrect access control issue in nested form webhook routes. An authenticated user can combine an attacker-controlled form identifier with a victim-owned webhook identifier in update or delete requests, leading to unauthorized modification or deletion of another tenant's webhook.\n\n### Details\nThe nested route authorization path does not sufficiently bind the webhook object to the parent form controlled by the requester. This allows object identifiers from different tenants to be combined in a request.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50875.\n3. Confirm the security result: An authenticated user can update or delete a webhook owned by another tenant by sending a crafted nested route request.\n\n### Impact\nUnauthorized cross-tenant webhook modification or deletion by an authenticated user.\n\n## Remediation\nAuthorize the webhook through the parent form relationship and reject requests where the webhook does not belong to the requester-controlled form.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:42.000000Z"}]}