Main Vulnerability Database Vulnerabilities #VU133109

Authorization bypass through user-controlled key in Lifetime - CVE-2026-40127

Published: June 1, 2026

Vulnerability identifier: #VU133109

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40127

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OutSystems

Affected software:
Lifetime

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in /lifetime/Application_ChangeLog.aspx when handling requests with the ApplicationId parameter. A remote user can manipulate the ApplicationId parameter to disclose sensitive information.

The issue affects application change log data, and predictable sequential identifiers facilitate automated enumeration of change logs across the environment.

How to mitigate CVE-2026-40127

Install security update from vendor's website.

Sources

https://success.outsystems.com/support/security/vulnerabilities/vulnerability_rpm_6441/

Authorization bypass through user-controlled key in Lifetime - CVE-2026-40127

Detailed vulnerability description

How to mitigate CVE-2026-40127

Sources

Please verify you're human