CVE-2026-44678

Name of the Vulnerable Software and Affected Versions Tuist versions prior to 1.180.9

Description The "DELETE /api/projects/{account handle}/{project handle}/previews/{preview id}" endpoint loads a preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The project-level authorization plug AuthorizationPlug, :preview authorizes the caller against the project encoded in account handle and project handle, which can be controlled by an attacker, allowing the deletion of any preview UUID supplied.

Recommendations Update to a version later than 1.180.8.