PT-2026-36771 · Unknown · Comet Backup
Published
2026-05-04
·
Updated
2026-05-15
·
CVE-2026-29200
CVSS v4.0
9.9
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Comet Backup versions 20.11.0 through 26.1.1
Comet Backup version 26.2.1
Description
An Insecure Direct Object Reference (IDOR)—a flaw where an application provides direct access to objects based on user-supplied input—exists that allows a tenant administrator to impersonate any end-user account belonging to other tenants on the same server through a vulnerable API call.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Comet Backup