CVE-2026-11764
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CWE
- CWE-280
Description
When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-40371 — Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elev... (8.8 HIGH)
- CVE-2026-10549 — LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass ...
- CVE-2026-9792 — A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component (6.5 MEDIUM)
- CVE-2026-2340 — A flaw was found in Samba’s vfs_worm module (6.5 MEDIUM)
- CVE-2026-20817 — Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privilege... (7.8 HIGH)