{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nl-portal-taak-vulnerable--1.5.0--3.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NL Portal Taak (vulnerable: \u003e= 1.5.0, \u003c= 3.0.0)"],"_cs_severities":["high"],"_cs_tags":["idor","graphql","data-tampering","data-leakage","authentication-bypass","cve"],"_cs_type":"advisory","_cs_vendors":["NL Portal"],"content_html":"\u003cp\u003eA high-severity Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-49464, has been identified in the NL Portal's Taak V2 implementation, affecting versions from 1.5.0 up to and including 3.0.0. This flaw permits any authenticated portal user (\u003ccode\u003eburger\u003c/code\u003e OAuth token holder) to manipulate and access other users' open tasks without proper authorization. Attackers can leverage this by submitting a known task ID to the \u003ccode\u003esubmitTaakV2\u003c/code\u003e GraphQL endpoint, which lacks adequate authorization checks. This enables malicious users to mark tasks as completed, overwrite the \u003ccode\u003everzonden_data\u003c/code\u003e with arbitrary input, and illicitly retrieve the full task, including sensitive, previously entered \u003ccode\u003eportaalformulier\u003c/code\u003e data from the legitimate owner. The vulnerable code was introduced in commit \u003ccode\u003ebb1c1ecf\u003c/code\u003e (2024-06-04) and shipped with the 1.5.x release line.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker obtains a valid \u003ccode\u003eburger\u003c/code\u003e OAuth token to access the NL Portal.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user's specific task ID (UUID), possibly through enumeration, social engineering, or prior compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GraphQL mutation request targeting the \u003ccode\u003esubmitTaakV2\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the victim's task ID and arbitrary data intended to overwrite the original \u003ccode\u003esubmission\u003c/code\u003e (\u003ccode\u003everzonden_data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe NL Portal backend, specifically the \u003ccode\u003enl.nlportal.zgw.taak.service.TaakService.submitTaakV2\u003c/code\u003e resolver, processes the request without verifying if the task belongs to the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe backend transitions the identified task to the \u003ccode\u003eAFGEROND\u003c/code\u003e (completed) state and overwrites the \u003ccode\u003erecord.data.portaalformulier.verzondenData\u003c/code\u003e with the attacker's supplied input.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the GraphQL response, which includes the entire task object, inadvertently exposing the legitimate owner's previously entered form data (confidentiality impact).\u003c/li\u003e\n\u003cli\u003eThe victim's task data is tampered with, its integrity is compromised, and their private information is leaked to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability significantly impacts both the integrity and confidentiality of user data within the NL Portal. Attackers can unilaterally mark other users' tasks as complete, regardless of their actual status, disrupting legitimate workflows. More critically, they can overwrite the data submitted with these tasks, leading to data corruption and potentially severe consequences depending on the nature of the forms. Furthermore, the attacker gains unauthorized access to sensitive personal data that other users had previously entered into their forms, violating privacy and potentially leading to further exploitation or identity theft. All users of NL Portal Taak versions 1.5.0 through 3.0.0 are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NL Portal Taak to version \u003cstrong\u003e3.0.1\u003c/strong\u003e or later to address \u003cstrong\u003eCVE-2026-49464\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block the \u003ccode\u003esubmitTaakV2\u003c/code\u003e GraphQL mutation at your API gateway as described in the brief.\u003c/li\u003e\n\u003cli\u003eAlternatively, restrict access to the \u003ccode\u003e/graphql\u003c/code\u003e endpoint to trusted networks only until the upgrade for \u003cstrong\u003eCVE-2026-49464\u003c/strong\u003e can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T21:14:46Z","date_published":"2026-07-08T21:14:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nl-portal-idor-task-tampering/","summary":"An Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-49464, in NL Portal's Taak V2 implementation (versions 1.5.0 through 3.0.0) allows authenticated attackers to mark other users' tasks as complete, overwrite submitted data, and leak personal information by exploiting an authorization bypass in the `submitTaakV2` GraphQL endpoint.","title":"NL Portal IDOR Vulnerability Allows Tampering and Data Leakage of Other Users' Tasks (CVE-2026-49464)","url":"https://feed.craftedsignal.io/briefs/2026-07-nl-portal-idor-task-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - NL Portal Taak (Vulnerable: \u003e= 1.5.0, \u003c= 3.0.0)","version":"https://jsonfeed.org/version/1.1"}