CVE-2026-59262 in AFFiNEinfo

Summary

by MITRE • 07/08/2026

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability represents a critical access control flaw in AFFiNE's GraphQL API implementation where the histories field fails to properly validate Doc.Read permissions before exposing document edit history information. The technical flaw stems from insufficient authorization checks within the GraphQL resolver logic that governs access to document revision histories, allowing authenticated workspace members to bypass normal permission boundaries and retrieve comprehensive edit timelines for documents they should not be able to access. The vulnerability operates through a straightforward exploitation pattern where attackers can supply arbitrary document GUIDs to query the histories field and receive detailed information including user names, email addresses, timestamps, and complete editing sequences from private pages they lack proper read permissions for.

The operational impact of this vulnerability extends beyond simple information disclosure as it creates a comprehensive audit trail that reveals sensitive metadata about document access patterns and user activities. Attackers can construct detailed timelines showing when specific users accessed or modified documents, potentially exposing confidential information about internal processes, strategic decisions, or sensitive project details. This represents a significant violation of the principle of least privilege and undermines the fundamental security model of the platform where authenticated users should only be able to access content they have proper authorization to view. The vulnerability affects any authenticated workspace member regardless of their actual document permissions, creating a persistent security risk that could enable targeted attacks or information gathering operations.

From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents a classic case of insufficient access control validation in API endpoints. The flaw demonstrates poor input validation practices where the GraphQL query execution does not properly verify user permissions against the requested resource before returning sensitive data. This vulnerability also maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) as it allows attackers to leverage their authenticated status to access unauthorized resources, and T1566 (Phishing) in scenarios where attackers might use the gathered information for social engineering purposes. The exposure of user email addresses and timestamps creates additional attack surface for credential stuffing or targeted phishing campaigns, while the complete edit history could reveal sensitive business processes or internal communication patterns.

Mitigation strategies should focus on implementing robust permission validation within the GraphQL resolvers before any history data is returned. The system must verify Doc.Read permissions for each requested document GUID against the authenticated user's access rights before executing the history query. This requires enforcing proper authorization checks at the API level and ensuring that all GraphQL fields implementing history retrieval maintain strict access control boundaries. Additionally, implementing rate limiting and monitoring for unusual history query patterns can help detect potential exploitation attempts. The fix should also include logging of all history queries for security auditing purposes, with particular attention to queries involving document GUIDs that the requesting user should not have access to according to their permission level. Organizations using AFFiNE should conduct comprehensive access control reviews and implement proper segregation of duties to prevent similar issues in other API endpoints.

Responsible

VulnCheck

Reservation

07/04/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!