{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6355", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-15T13:48:22.716Z", "datePublished": "2026-04-22T13:18:05.165Z", "dateUpdated": "2026-04-22T14:19:45.268Z"}, "containers": {"cna": {"title": "CVE-2026-6355", "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Augmentt", "product": "Augmentt", "versions": [{"status": "affected", "version": "1.0"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284: Improper Access Control"}]}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6355/"}], "x_generator": {"engine": "VINCE 3.0.36", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6355"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-22T13:18:06.195Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:18:38.338962Z", "id": "CVE-2026-6355", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:19:45.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:18:38.338962Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:18:32.851Z"}}], "cna": {"title": "CVE-2026-6355", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Augmentt", "product": "Augmentt", "versions": [{"status": "affected", "version": "1.0"}]}], "references": [{"url": "https://github.com/Penguinsecq/CVE-2026-6355/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.36", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-6355"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-22T13:18:06.195Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6355", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:19:45.268Z", "dateReserved": "2026-04-15T13:48:22.716Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-22T13:18:05.165Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:augmentt:augmentt:*:*:*:*:*:*:*:*", "matchCriteriaId": "561E9514-79C5-446F-9247-84192E7DF352", "versionEndExcluding": "2025-10-02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration."}], "id": "CVE-2026-6355", "lastModified": "2026-05-12T20:17:24.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T14:17:06.627", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Penguinsecq/CVE-2026-6355/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Augmentt", "source": "cna", "vendor": "Augmentt"}, "product": "augmentt", "vendor": "augmentt"}], "analysis": {"en": {"generated_at": "2026-04-22T19:22:57.707548+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011provided patch that removes the insecure direct object reference checks.", "Implement server\u2011side validation to ensure that object identifiers are always verified against the tenant context before any operation is performed.", "Enforce role\u2011based access control so that only privileged users can alter configuration settings or access other tenants\u2019 data."], "summary": {"action": "Patch", "impact": "Unauthorized Cross\u2011Tenant Data Access and Modification"}, "threat_synthesis": {"affected_systems": "All deployed instances of the Augmentt web application are potentially vulnerable; no specific version information was supplied, so any deployment of the product may be impacted until a fix is applied.", "description_and_impact": "The Augmentt web application contains an insecure direct object reference flaw that lets attackers bypass owner checks and retrieve or alter data belonging to other tenants. This can compromise both confidentiality and integrity of tenant data, with the weakness mapped to CWE\u2011639.", "risk_and_exploitability": "Based on the description, it is inferred that the attack vector is via standard web requests that can guess or enumerate object identifiers. While EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, the cross\u2011tenant elevation potential makes it a high\u2010risk flaw. The CVSS score of 6.5 indicates moderate severity. Once the web application is reachable from a network or the internet, exploitation could occur with minimal effort from an unauthenticated user."}}}}, "created": "2026-04-22T19:30:24.747910+00:00", "title": "Insecure Direct Object References Expose Cross\u2011Tenant Data in Augmentt", "updated": "2026-04-27T19:55:05.890826+00:00", "vendors": ["augmentt", "augmentt$PRODUCT$augmentt"], "weaknesses": ["CWE-639"]}