SB2026060242 - Multiple vulnerabilities in Tolgee

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060242

SB2026060242 - Multiple vulnerabilities in Tolgee

Published: June 2, 2026

Security Bulletin ID SB2026060242
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify another organization's LLM provider configuration and redirect future LLM traffic.

The vulnerability exists due to authorization bypass through user-controlled key in the LLM provider update endpoint when handling update requests with a foreign provider identifier under an authorized organization URL. A remote user can send a specially crafted request to modify another organization's LLM provider configuration and redirect future LLM traffic.


2) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to modify another project's content storage configuration or disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the content storage update and test endpoints when handling requests with a foreign content storage identifier under an authorized project URL. A remote user can send a specially crafted request to modify another project's content storage configuration or disclose sensitive information.

Testing a foreign storage configuration may expose existing storage secrets.


3) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify translation suggestions in another project or disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the translation suggestion handling endpoints when processing suggestion operations with a foreign suggestion identifier after validating only the local key context. A remote user can send a specially crafted request to modify translation suggestions in another project or disclose sensitive information.

The accept operation can copy the victim suggestion text into the attacker's project.


4) Authorization bypass through user-controlled key (CVE-ID: N/A)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify task-key relationships across projects.

The vulnerability exists due to authorization bypass through user-controlled key in TaskService.updateTaskKeys() when resolving added keys by global identifiers without verifying that the keys belong to the authorized project. A remote user can send a specially crafted request to modify task-key relationships across projects.

The issue creates a cross-tenant relation in the database.


5) Incorrect authorization (CVE-ID: N/A)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to read batch job metadata or cancel another project's batch jobs.

The vulnerability exists due to incorrect authorization in the batch job read and cancel endpoints when loading a job by global identifier and checking permissions against the URL project instead of the job's actual project. A remote user can send a specially crafted request to read batch job metadata or cancel another project's batch jobs.

Exposed metadata includes the author identity.


6) Improper Verification of Cryptographic Signature (CVE-ID: N/A)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper verification of cryptographic signature in SlackEventsController.validateAndParsePayload() and the /on-bot-event handler when processing crafted Slack bot-event payloads containing both a redirect value and an app_uninstalled event. A remote attacker can send a specially crafted request to cause a denial of service.

Successful exploitation requires knowledge or guessing of a connected Slack team_id and results in deletion of the corresponding Slack workspace integration, disabling Slack notifications and subscriptions until the workspace is reconnected.


Remediation

Install update from vendor's website.

References