CVE-2026-3321

UNKNOWN 0.0

Authorization Bypass in ON24 Q&A chat

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.

CWE	CWE-639
Vendor	on24
Product	on24 q&a chat
Published	Mar 30, 2026
Last Updated	Mar 30, 2026

Stay Ahead of the Next One

Get instant alerts for on24 on24 q&a chat

Be the first to know when new unknown vulnerabilities affecting on24 on24 q&a chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ON24 / ON24 Q&A chat

0 ≤ *

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-on24-qa-chat

Credits

Samuel de Lucas Maroto