SB2026060110 - Information disclosure in OutSystems LifeTime
Published: June 1, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-40127)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in /lifetime/Application_ChangeLog.aspx when handling requests with the ApplicationId parameter. A remote user can manipulate the ApplicationId parameter to disclose sensitive information.
The issue affects application change log data, and predictable sequential identifiers facilitate automated enumeration of change logs across the environment.
Remediation
Install update from vendor's website.