CVE-2026-12686

Adiss · Biloop

An authenticated cross-tenant authorization bypass in Adiss Biloop allows users to access or modify data belonging to other companies by manipulating the company ID parameter.

Executive summary

A critical authorization bypass vulnerability in Adiss Biloop allows authenticated users to access and manipulate sensitive data across different tenant environments.

Vulnerability

The application fails to perform adequate server-side validation of the company ID parameter during POST requests. An authenticated user can exploit this to bypass cross-tenant boundaries, potentially accessing or altering sensitive billing and customer data of other organizations.

Business impact

This vulnerability poses a severe risk to data confidentiality and integrity. With a CVSS score of 9.3, it represents a critical threat, as unauthorized access to multi-tenant environments can lead to significant data breaches, regulatory non-compliance, and loss of customer trust.

Remediation

Immediate Action: Update the Adiss Biloop installation to the latest version provided by the vendor to implement proper authorization checks.

Proactive Monitoring: Review application access logs for anomalous POST requests involving unauthorized company ID parameters.

Compensating Controls: Ensure that Web Application Firewalls (WAF) are configured to monitor and block suspicious request patterns targeting company ID parameters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the critical nature of this authorization bypass, administrators must prioritize patching the affected Biloop instance immediately. Failure to address this flaw leaves sensitive cross-tenant data exposed to unauthorized manipulation.