CVE-2026-40127— Authorization Bypass Through User-Controlled Key in OutSystems Lifetime
Possible ATT&CK Techniques 1AI
T1528 · Steal Application Access TokenAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OutSystems | Lifetime | < 11.28.2.3955 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40127
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization Bypass Through User-Controlled Key in OutSystems Lifetime
Source: NVD (National Vulnerability Database)
Vulnerability Description
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
OutSystems Lifetime 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OutSystems Lifetime是美国OutSystems公司的一个低代码平台管理控制中心。 OutSystems Lifetime 11.28.2.3955之前版本存在安全漏洞,该漏洞源于ApplicationID参数存在通过用户控制密钥绕过授权,可能导致任何经过身份验证的用户读取包含其他用户操作和应用程序名称的更改日志。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| OutSystems | Lifetime | 0 ~ 11.28.2.3955 | - |
II. Public POCs for CVE-2026-40127
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40127
请登录查看更多情报信息。
Security Blog Posts for CVE-2026-40127 (1)
- 🔗 Page not found | CERT Polskathird-party-advisory
Vendor Pages for CVE-2026-40127 (1)
IV. Related Vulnerabilities
Same weakness: CWE-639
- CVE-2026-7651
User Registration & Membership <= 5.1.5 - Authenticated (Sub - CVE-2026-3173
Meta Field Block <= 1.5.1 - Insecure Direct Object Reference - CVE-2026-9228
Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecu - CVE-2026-9241
FOX – Currency Switcher Professional for WooCommerce <= 1.4. - CVE-2026-46544
Microsoft UFO reuses client-supplied WebSocket session IDs a
V. Comments for CVE-2026-40127
No comments yet