CVE-2026-49463

Today I received a public security credit for a vulnerability I responsibly disclosed:

​

CVE-2026-54683 – Improper authorization in NL Portal

​

The vulnerability allowed any authenticated portal user to download documents belonging to other users when they had access to a valid document identifier.

​

An earlier fix for the related CVE-2026-49463 turned out to be incomplete. The authorization parameter added to the GraphQL query was not actually used, while a vulnerable REST endpoint also remained accessible.

​

The issue affected versions before 3.0.3 and has now been fully resolved by removing the unsafe endpoints and requiring document downloads to go through properly authorized case- or message-scoped endpoints.

​

CVSS: 6.5

CWE: CWE-285 and CWE-639

Credit: Ray Sabee / WhitehatSecurity.nl

​

GitHub advisory:

​

I’m especially happy with this one because it was a follow-up investigation. The original vulnerability had already been marked as fixed, but further testing showed that document contents were still accessible.

​

Not sure if I can post this here, so feel free to remove it.

​

Bounty: high xxx

​

Peace!