🔐 CVE Alert

CVE-2026-40127

UNKNOWN 0.0

Authorization Bypass Through User-Controlled Key in OutSystems Lifetime

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

CWE CWE-639
Vendor outsystems
Product lifetime
Published May 25, 2026
Last Updated May 26, 2026
Stay Ahead of the Next One

Get instant alerts for outsystems lifetime

Be the first to know when new unknown vulnerabilities affecting outsystems lifetime are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

OutSystems / Lifetime
0 < 11.28.2.3955

References

NVD ↗ CVE.org ↗ EPSS Data ↗
cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-40126/ outsystems.com: https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime

Credits

Zbigniew Piotrak (AFINE Team)