Summary
Paymenter has broken object level authorization via service reference manipulation on ticket creation
Advisory details
Summary
The ticket creation endpoint accepts a user-supplied service identifier without enforcing ownership validation, allowing authenticated users to create support tickets referencing services belonging to other accounts by modifying the service ID in the request.
Technical Details
The ticket creation endpoint accepted a user-supplied service identifier without verifying ownership or authorization against the authenticated account. An attacker could modify the service ID value in the client-side request and successfully create a ticket associated with another user's service.
The vulnerability required authentication and did not provide direct access to service contents or customer data. However, referenced service information could become visible to support personnel handling the ticket.
Impact
Successful exploitation could allow an authenticated user to:
- Create support tickets referencing services belonging to other users
- Potentially cause support staff to interact with or review unrelated customer services
The vulnerability did not allow:
- Direct access to another user's service
- Modification of another user's service
- Retrieval of confidential service data through the vulnerable endpoint itself
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-50137
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
- MEDIUMCVE-2026-33684
AVideo's Privilege Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions
- MEDIUMGHSA-mxjx-28vx-xjjj
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions
- HIGHCVE-2026-22555
Gitea before 1.26.0 is missing a `CanCreateOrgRepo` permission check on its fork API (CVE-2026-22555). A user without permission to create repositories in an organization could fork into it and, in doing so, exfiltrate the organization's secrets. It is a broken-authorization flaw that leaks organization and CI/CD secrets to users who should not have access to them.
- HIGHCVE-2026-26231
Gitea before 1.26.2 has an authorization bypass in its "Allow edits from maintainers" pull-request feature (CVE-2026-26231). The maintainer edit permission was not properly scoped, so a user could push unauthorized commits to any repository they could merely read. In effect, read access to a repo could be turned into write access through a crafted pull request.