SB2026060110 - Information disclosure in OutSystems LifeTime



SB2026060110 - Information disclosure in OutSystems LifeTime

Published: June 1, 2026

Security Bulletin ID SB2026060110
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-40127)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in /lifetime/Application_ChangeLog.aspx when handling requests with the ApplicationId parameter. A remote user can manipulate the ApplicationId parameter to disclose sensitive information.

The issue affects application change log data, and predictable sequential identifiers facilitate automated enumeration of change logs across the environment.


Remediation

Install update from vendor's website.