๐Ÿ” CVE Alert

CVE-2026-53536

UNKNOWN 0.0

Activepieces: Cross-tenant file download via missing JWT audience check on step-files signed URL

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Activepieces is an open source AI workflow automation platform. Prior to 0.83.0, the /v1/step-files/signed download endpoint verified the supplied JWT against the shared signing secret but did not check the token's audience, and combined with a missing null-check on the decoded fileId, this allowed any caller holding any valid Activepieces JWT (including a freshly created user's own access token) to receive a step-file belonging to another tenant. The file returned was whatever PostgreSQL happened to scan first for type = FLOW_STEP_FILE, varying over time as the database changed, so an authenticated user could obtain step-file attachments belonging to other tenants on the same instance; the attacker could not target a specific victim or file, and the access was read-only with no integrity or availability impact. This issue is fixed in version 0.83.0.

CWE CWE-345 CWE-639
Vendor activepieces
Product activepieces
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for activepieces activepieces

Be the first to know when new unknown vulnerabilities affecting activepieces activepieces are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

activepieces / activepieces
< 0.83.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/activepieces/activepieces/security/advisories/GHSA-9723-fmff-mc24 github.com: https://github.com/activepieces/activepieces/commit/2cb6148010a6c2a22900f4c8b08d75cc5c921d1c github.com: https://github.com/activepieces/activepieces/commit/afe852f60e39fcc6273d41e11f0765586b5a0e49 github.com: https://github.com/activepieces/activepieces/releases/tag/0.83.0