CVE-2026-35023

MEDIUM 4.3

Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

12th

Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.

CWE	CWE-639
Vendor	cloud solutions sas
Product	wimi teamwork
Published	Apr 8, 2026
Last Updated	Apr 9, 2026

Stay Ahead of the Next One

Get instant alerts for cloud solutions sas wimi teamwork

Be the first to know when new medium vulnerabilities affecting cloud solutions sas wimi teamwork are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

Cloud Solutions SAS / Wimi Teamwork

0 < 8.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wimi-teamwork.com: https://www.wimi-teamwork.com/en/product-update vulncheck.com: https://www.vulncheck.com/advisories/wimi-teamwork-on-premises-idor-via-preview-php

Credits

Noa Tchoumak VulnCheck