CVE-2026-12686
Adiss · Biloop
An authenticated cross-tenant authorization bypass in Adiss Biloop allows users to access or modify data belonging to other companies by manipulating the company ID parameter.
Executive summary
A critical authorization bypass vulnerability in Adiss Biloop allows authenticated users to access and manipulate sensitive data across different tenant environments.
Vulnerability
The application fails to perform adequate server-side validation of the company ID parameter during POST requests. An authenticated user can exploit this to bypass cross-tenant boundaries, potentially accessing or altering sensitive billing and customer data of other organizations.
Business impact
This vulnerability poses a severe risk to data confidentiality and integrity. With a CVSS score of 9.3, it represents a critical threat, as unauthorized access to multi-tenant environments can lead to significant data breaches, regulatory non-compliance, and loss of customer trust.
Remediation
Immediate Action: Update the Adiss Biloop installation to the latest version provided by the vendor to implement proper authorization checks.
Proactive Monitoring: Review application access logs for anomalous POST requests involving unauthorized company ID parameters.
Compensating Controls: Ensure that Web Application Firewalls (WAF) are configured to monitor and block suspicious request patterns targeting company ID parameters.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the critical nature of this authorization bypass, administrators must prioritize patching the affected Biloop instance immediately. Failure to address this flaw leaves sensitive cross-tenant data exposed to unauthorized manipulation.