CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-45704

highcovered by 1 sourcefirst seen 2026-05-27
Summary CustomReports uses inconsistent authorization between the report listing endpoint and the report detail endpoint. - The listing flow filters reports based on report-sharing rules - The detail flow only checks generic reports or reports_config permissions As a result, a low-privileged backend user who was not granted access to a report can still read that report directly by name even though it does not appear in the user's visible report list. In the local Docker reproduction: - The report poc-secret-report was not visible to the low-privileged user in the report list - The same user was still able to retrieve the report configuration directly by name Root Cause The listing flow in getReportConfigAction() filters reports through loadForGivenUser(): - CustomReportController.php - CustomReportController.php - CustomReportController.php - Config/Listing/Dao.php - Config/Listing/Dao.php However, getAction() only checks generic permissions and then loads the report directly by name: - CustomReportController.php - CustomReportController.php - CustomReportController.php - CustomReportController.php This means the same report object is protected by different authorization models depending on which endpoint is used. The result is a classic "not visible in list, but readable by direct request" access-control bypass. Impact An attacker can read sensitive report metadata without authorization, including: - Report name - Grouping information - Display and icon metadata - Data sourc

⚡ Watch CVE-2026-45704

Get an email if CVE-2026-45704 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-45704

CVE.org record

Embed the live status

CVE-2026-45704 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-45704 status](https://www.csirts.com/badge/CVE-2026-45704)](https://www.csirts.com/cve/CVE-2026-45704)