Primary

Context

toeverything AFFiNE Authorization Bypass Vulnerability in Public Markdown Preview Endpoint

Vulnerability

An authorization bypass vulnerability has been identified in toeverything AFFiNE versions prior to 0.26.3. The issue arises in the Public Markdown Preview Endpoint, specifically within the allowDocPreview function of the file /workspace/:workspaceId/:docId. This vulnerability can be exploited remotely, allowing unauthorized access to document previews.

Impact

Exploitation of this vulnerability allows for unauthorized access to document previews, bypassing normal authorization controls.

Reproduction

The vulnerability can be reproduced by sending a request to the Public Markdown Preview Endpoint with a specified workspaceId and docId. The request will bypass authorization checks, allowing access to the requested document preview without the necessary permissions.

Added: May 3, 2026, 4:18 PM

Updated: May 3, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

7.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

7.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

toeverything AFFiNE Authorization Bypass Vulnerability in Public Markdown Preview Endpoint

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating