Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Wimi Teamwork On-Premises leaks private conversations
CVE-2026-35023
Summary
Versions prior to 8.2.0 allow attackers to access private conversations and sensitive information by guessing conversation IDs. This could happen if you're using an outdated version of Wimi Teamwork On-Premises. Update to version 8.2.0 or later to prevent unauthorized access to your conversations.
Original title
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks...
Original description
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference vulnerability in the preview.php endpoint where the item_id parameter lacks proper authorization checks. Attackers can enumerate sequential item_id values to access and retrieve image previews from other users' private or group conversations, resulting in unauthorized disclosure of sensitive information.
nvd CVSS4.0
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026