NL Portal IDOR Vulnerability Allows Tampering and Data Leakage of Other Users' Tasks (CVE-2026-49464)
An Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-49464, in NL Portal's Taak V2 implementation (versions 1.5.0 through 3.0.0) allows authenticated attackers to mark other users' tasks as complete, overwrite submitted data, and leak personal information by exploiting an authorization bypass in the `submitTaakV2` GraphQL endpoint.
A high-severity Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-49464, has been identified in the NL Portal's Taak V2 implementation, affecting versions from 1.5.0 up to and including 3.0.0. This flaw permits any authenticated portal user (burger OAuth token holder) to manipulate and access other users' open tasks without proper authorization. Attackers can leverage this by submitting a known task ID to the submitTaakV2 GraphQL endpoint, which lacks adequate authorization checks. This enables malicious users to mark tasks as completed, overwrite the verzonden_data with arbitrary input, and illicitly retrieve the full task, including sensitive, previously entered portaalformulier data from the legitimate owner. The vulnerable code was introduced in commit bb1c1ecf (2024-06-04) and shipped with the 1.5.x release line.
Attack Chain
- An authenticated attacker obtains a valid
burgerOAuth token to access the NL Portal. - The attacker identifies a target user's specific task ID (UUID), possibly through enumeration, social engineering, or prior compromise.
- The attacker crafts a malicious GraphQL mutation request targeting the
submitTaakV2endpoint. - The request includes the victim's task ID and arbitrary data intended to overwrite the original
submission(verzonden_data). - The NL Portal backend, specifically the
nl.nlportal.zgw.taak.service.TaakService.submitTaakV2resolver, processes the request without verifying if the task belongs to the authenticated user. - The backend transitions the identified task to the
AFGEROND(completed) state and overwrites therecord.data.portaalformulier.verzondenDatawith the attacker's supplied input. - The attacker receives the GraphQL response, which includes the entire task object, inadvertently exposing the legitimate owner's previously entered form data (confidentiality impact).
- The victim's task data is tampered with, its integrity is compromised, and their private information is leaked to the attacker.
Impact
This vulnerability significantly impacts both the integrity and confidentiality of user data within the NL Portal. Attackers can unilaterally mark other users' tasks as complete, regardless of their actual status, disrupting legitimate workflows. More critically, they can overwrite the data submitted with these tasks, leading to data corruption and potentially severe consequences depending on the nature of the forms. Furthermore, the attacker gains unauthorized access to sensitive personal data that other users had previously entered into their forms, violating privacy and potentially leading to further exploitation or identity theft. All users of NL Portal Taak versions 1.5.0 through 3.0.0 are at risk.
Recommendation
- Upgrade NL Portal Taak to version 3.0.1 or later to address CVE-2026-49464.
- As a temporary workaround, block the
submitTaakV2GraphQL mutation at your API gateway as described in the brief. - Alternatively, restrict access to the
/graphqlendpoint to trusted networks only until the upgrade for CVE-2026-49464 can be applied.