CVE-2026-59262

Summary

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

Affected Software

VendorProductVersion RangeStatus
affinemonorepo0 < 0.26.3affected
affinemonorepo0 <= 1f0bcd0affected

Weaknesses

  • CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References