Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-29200: Comet Backup: Tenant Admin Can Access Other Users' Accounts
CVE-2026-29200
Summary
This vulnerability affects all versions of Comet Backup from 20.11.0 to 26.1.1 and 26.2.1. If left unpatched, a malicious admin can access other users' accounts on the same server. Update to the latest version to fix this issue and protect user data.
Original title
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-us...
Original description
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
nvd CVSS4.0
9.9
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 4 May 2026 · Updated: 28 May 2026 · First seen: 4 May 2026