๐Ÿ” CVE Alert

CVE-2026-59262

MEDIUM 6.5

AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

CWE CWE-862
Vendor affine
Product monorepo
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for affine monorepo

Be the first to know when new medium vulnerabilities affecting affine monorepo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

affine / monorepo
0 < 0.26.3 0 โ‰ค 1f0bcd0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/toeverything/AFFiNE/issues/15179 github.com: https://github.com/toeverything/AFFiNE github.com: https://github.com/toeverything/AFFiNE/commit/1f0bcd01a37a522393fc1b288395e3a72a79ccad vulncheck.com: https://www.vulncheck.com/advisories/affine-unauthorized-document-edit-history-access-via-graphql-histories-field

Credits

๐Ÿ” George Chen