Medium severity4.3NVD Advisory· Published Apr 8, 2026· Updated Jun 2, 2026
CVE-2026-35023
CVE-2026-35023
Description
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:wimi-teamwork:wimi-teamwork:*:*:*:*:on-premises:*:*:*+ 1 more
- cpe:2.3:a:wimi-teamwork:wimi-teamwork:*:*:*:*:on-premises:*:*:*range: <8.2.0
- (no CPE)range: <8.2.0
- Range: <8.2.0
Patches
Vulnerability mechanics
References
2- www.vulncheck.com/advisories/wimi-teamwork-on-premises-idor-via-preview-phpnvdThird Party Advisory
- www.wimi-teamwork.com/en/product-updatenvdRelease Notes
News mentions
0No linked articles in our index yet.