Primary

Context

Wimi Teamwork On-Premises Insecure Direct Object Reference Vulnerability in preview.php Endpoint

Vulnerability

A vulnerability allowing insecure direct object reference has been identified in Wimi Teamwork On-Premises versions prior to 8.2.0. This vulnerability exists in the preview.php endpoint, where the item_id parameter is not properly authorized. As a result, attackers can sequentially enumerate item_id values to access and retrieve image previews from private or group conversations of other users, leading to unauthorized disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to image previews from other users' private or group conversations, resulting in the disclosure of sensitive information.

Remediation

Users can update to Wimi Teamwork On-Premises version 8.2.0 or later to address this vulnerability.

Added: Apr 8, 2026, 2:43 PM

Updated: Apr 8, 2026, 2:43 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wimi Teamwork On-Premises Insecure Direct Object Reference Vulnerability in preview.php Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating