CVE-2026-63099 in TheHiveinfo

Summary

by MITRE • 07/17/2026

TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing organization-scoped authorization check in AttachmentSrv.visible, which is implemented as a pass-through traversal, to download arbitrary attachments.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

TheHive version 4.1.24 and earlier contains a critical broken object-level authorization vulnerability that fundamentally undermines the security boundaries between organizations within the platform. This vulnerability exists in the attachment download endpoints where the system fails to properly verify organizational ownership when processing content-hash identifiers. The flaw stems from inadequate authorization checks that should enforce organization-scoped access controls but instead allow unrestricted traversal through the attachment service layer.

The technical implementation of this vulnerability occurs within the AttachmentSrv.visible method which serves as a pass-through mechanism for attachment retrieval operations. This component lacks proper validation to ensure that authenticated users can only access attachments belonging to their own organization or authorized entities. The content-hash identifier parameter acts as an entry point for unauthorized access, allowing attackers to construct requests that bypass normal access control mechanisms. The vulnerability is particularly dangerous because it operates at the object level rather than the system level, meaning that even authenticated users can escalate their privileges through carefully crafted requests.

From an operational impact perspective, this vulnerability creates a significant risk of data leakage and unauthorized information access across organizational boundaries. Attackers can exploit this weakness to download sensitive attachments belonging to other organizations within the same TheHive instance, potentially accessing confidential case files, evidence, or communications that should remain isolated. The severity is compounded by the fact that no additional authentication or authorization steps are required beyond basic user login, making exploitation straightforward and accessible to any authenticated user within the system.

Security practitioners should note this vulnerability aligns with CWE-285 (Improper Authorization) and maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) where attackers leverage legitimate credentials to access unauthorized resources. Organizations using TheHive should immediately implement patch management procedures to upgrade to version 4.1.25 or later where proper organization-scoped authorization checks have been implemented. Additionally, network segmentation and monitoring of attachment download activities can help detect potential exploitation attempts by identifying unusual access patterns or unauthorized content retrieval operations.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!