Summary
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-FCVX-5CXC-V5P8
OpenClaw: Slack reaction events could ignore reaction notification settings
- HIGHGHSA-HJWC-26PJ-V3PM
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
- MEDIUMGHSA-2FJJ-QQG8-FG7X
praisonai-platform: Authorization Bypass Through User-Controlled Key
- HIGHGHSA-RH39-9C67-59MH
PraisonAI: Missing ownership check on DELETE endpoints allows members to delete others' content in Platform API
- CRITICALGHSA-8FQ9-273G-6MRG
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
- MEDIUMGHSA-QWXF-2M7M-2M3X
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join