PT-2026-31307 · Wimi · Wimi Teamwork On-Premises
Noa Tchoumak
+1
·
Published
2026-04-08
·
Updated
2026-04-12
·
CVE-2026-35023
CVSS v3.1
4.3
Medium
| AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Wimi Teamwork On-Premises versions prior to 8.2.0
Description
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference issue in the
/preview.php endpoint. The item id parameter does not have sufficient authorization checks. Attackers can enumerate sequential item id values to access and retrieve image previews from other users' private or group conversations, leading to unauthorized disclosure of sensitive information.Recommendations
Update to version 8.2.0 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wimi Teamwork On-Premises