CVE-2026-11369

Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in the Comment API endpoints (GET /api/Comment and POST /api/Comment) of linqi versions prior to 1.4.8.6. The application fails to perform adequate authorization checks to verify if the requesting user has access to the object identified by the relatedObjectId parameter. The root cause is that the relatedObjectId is passed directly to the database without verifying ownership or access rights [1].

Exploitation

An attacker who is already authenticated to the application can exploit this vulnerability. By supplying an arbitrary object GUID in the relatedObjectId parameter of requests to the Comment API, the attacker can read or write comments on any process, regardless of business unit or ownership [1].

Impact

Successful exploitation allows any authenticated user to read and write comments on any process across all business units within the system. This grants unauthorized access to potentially sensitive information contained within comments and allows for the modification or addition of comments to unrelated processes [1].

Mitigation

The vulnerability has been resolved in linqi version 1.4.8.6, released on June 05, 2026. The update implements strict ownership validation checks before database interactions. Customers are strongly recommended to update to version 1.4.8.6 or later as soon as possible [1].