Primary

Context

Comet Backup IDOR Vulnerability Allowing Cross-Tenant Account Impersonation

Vulnerability

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in Comet Backup, affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. This vulnerability enables a tenant administrator to impersonate any end-user account from other tenants on the same server through a vulnerable API call.

Impact

Exploitation of this vulnerability allows for cross-tenant account takeover, where a tenant administrator can impersonate any end-user account of other tenants.

Remediation

Comet Backup has been upgraded on Comet Hosted servers, so no action is required for Comet Hosted administrators. For self-hosted instances, Comet Backup should be updated to version 26.1.2, 26.2.2 or higher.

Added: May 4, 2026, 7:36 AM

Updated: May 4, 2026, 7:36 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.4

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.4

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Comet Backup IDOR Vulnerability Allowing Cross-Tenant Account Impersonation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating