SysReptor Improper Authorization Vulnerability in Note Sharing Links
Vulnerability
A vulnerability exists in SysReptor versions 2026.4 prior to 2026.27, allowing authenticated attackers to exploit improper authorization in the endpoints for reading and creating sharing links for personal notes. Attackers who obtain the note ID of other users can list and create sharing links to those users' personal notes, thereby gaining read and write access to those notes. This issue affects both SysReptor Professional and Community versions, although in Community, it has no impact due to all users having superuser permissions which allow access to personal notes of others.
Impact
Exploitation of this vulnerability allows for unauthorized read and write access to personal notes of other users, by creating sharing links that bypass authorization checks.
Remediation
Users can update to SysReptor version 2026.27, which addresses this vulnerability. Instructions for updating are available in the SysReptor documentation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.