HomeCVE Intelligence › CVE-2026-49464
CVSS 8.1 HIGH Vulnerability

CVE-2026-49464: NL Portal: IDOR allows any authenticated user to complete and tamper with another user's…

Impact In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a ta…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-49464
Vendormaven
Affected Productnl.nl-portal:taak
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a task ID and a payload, but it never checked whether the task actually belonged to the user making the call. An attacker who held a valid login (a normal burger OAuth token) and who knew or guessed another user's task ID could: - Mark someone else's task as completed.

• Overwrite the data submitted with that task — the verzonden_data — with arbitrary input of their choosing.
• Receive the full task back in the GraphQL response, including the form data that the legitimate owner had already entered. This leaks personal data belonging to the original user. Functionally this

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49464 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence