CVE-2026-50875

Vulnerability

The vulnerability exists in Deck9 Input v2.0.1 within the /{form}/webhooks/{webhook} endpoint, specifically in the FormWebhookController::update() and delete methods. The authorization logic validates access based on the {form} route parameter, but the {webhook} parameter is resolved independently and is not scoped to the parent form. This lack of scoped route binding or an explicit ownership check allows an authenticated user to mutate a webhook object that belongs to a form they do not own, provided they know the webhook identifier. The issue affects all instances of Deck9 Input v2.0.1 using the webhook feature.

Exploitation

An attacker must be authenticated and know the identifier of a target webhook (webhookB) that is attached to a form they do not own. The attacker can use their own form (formA) in the request path. By sending a PUT /api/forms/{formA}/webhooks/{webhookB} request with modified webhook fields (e.g., a changed URL or enabled state), the request is authorized because the supplied {form} belongs to the attacker. The mutation is then applied to webhookB despite it belonging to another form. The same procedure works with the DELETE method to delete the foreign webhook [1].

Impact

A successful exploit results in cross-form webhook integrity loss. An authenticated attacker can redirect, disable, modify, or delete a webhook belonging to another tenant's form. This compromises the intended functionality and security of webhook-based integrations, potentially leading to unauthorized data access or service disruption.

Mitigation

Not yet disclosed in the available references. As of the publication date (2026-06-15), no patch or workaround has been published for Deck9 Input v2.0.1. Users should monitor the vendor for updates and restrict access to the webhook API where possible.