PT-2026-35500 · Mettle · Sendportal

B1Scuit

Published

2026-04-27

Updated

2026-04-28

CVE-2026-7145

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:P/A:P

Name of the Vulnerable Software and Affected Versions mettle sendportal versions prior to 3.0.2

Description An authorization bypass exists in the Invitation Handler component. A remote attacker can manipulate the invitation argument within the destroy() function of the 'app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php' file to bypass authorization controls.

Recommendations Update to a version newer than 3.0.1. As a temporary workaround, restrict access to the destroy() function in the 'app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php' file.

Fix

Improper Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-639

Related Identifiers

CVE-2026-7145

Affected Products

Sendportal

PT-2026-35500 · Mettle · Sendportal

CVE-2026-7145

Weakness Enumeration

Related Identifiers

Affected Products

References · 8