{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40127", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-09T10:15:00.973Z", "datePublished": "2026-05-25T10:18:05.904Z", "dateUpdated": "2026-05-25T10:18:05.904Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Lifetime", "vendor": "OutSystems", "versions": [{"lessThan": "11.28.2.3955", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Zbigniew Piotrak (AFINE Team)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">OutSystems Lifetime is vulnerable to A</span>uthorization Bypass Through User-Controlled Key vulnerability in <i>ApplicationID</i> parameter. Any authenticated user, can&nbsp;read the Change Log containing actions performed by other users as well as application name of any application.<br><br>This issue was fixed in OutSystems Lifetime version&nbsp;11.28.2.3955<br>"}], "value": "OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can\u00a0read the Change Log containing actions performed by other users as well as application name of any application.\n\nThis issue was fixed in OutSystems Lifetime version\u00a011.28.2.3955"}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-05-25T10:18:05.904Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/05/CVE-2026-40126/"}, {"tags": ["product"], "url": "https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime"}], "source": {"discovery": "EXTERNAL"}, "title": "Authorization Bypass Through User-Controlled Key in OutSystems Lifetime", "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{}

{}

{"created": "2026-05-25T12:30:25.459288+00:00", "updated": "2026-05-25T12:30:25.459300+00:00", "vendors": []}