<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>NL Portal - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/nl-portal/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 21:14:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/nl-portal/feed.xml" rel="self" type="application/rss+xml"/><item><title>NL Portal IDOR Vulnerability Allows Tampering and Data Leakage of Other Users' Tasks (CVE-2026-49464)</title><link>https://feed.craftedsignal.io/briefs/2026-07-nl-portal-idor-task-tampering/</link><pubDate>Wed, 08 Jul 2026 21:14:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-nl-portal-idor-task-tampering/</guid><description>An Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-49464, in NL Portal's Taak V2 implementation (versions 1.5.0 through 3.0.0) allows authenticated attackers to mark other users' tasks as complete, overwrite submitted data, and leak personal information by exploiting an authorization bypass in the `submitTaakV2` GraphQL endpoint.</description><content:encoded><![CDATA[<p>A high-severity Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-49464, has been identified in the NL Portal's Taak V2 implementation, affecting versions from 1.5.0 up to and including 3.0.0. This flaw permits any authenticated portal user (<code>burger</code> OAuth token holder) to manipulate and access other users' open tasks without proper authorization. Attackers can leverage this by submitting a known task ID to the <code>submitTaakV2</code> GraphQL endpoint, which lacks adequate authorization checks. This enables malicious users to mark tasks as completed, overwrite the <code>verzonden_data</code> with arbitrary input, and illicitly retrieve the full task, including sensitive, previously entered <code>portaalformulier</code> data from the legitimate owner. The vulnerable code was introduced in commit <code>bb1c1ecf</code> (2024-06-04) and shipped with the 1.5.x release line.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker obtains a valid <code>burger</code> OAuth token to access the NL Portal.</li>
<li>The attacker identifies a target user's specific task ID (UUID), possibly through enumeration, social engineering, or prior compromise.</li>
<li>The attacker crafts a malicious GraphQL mutation request targeting the <code>submitTaakV2</code> endpoint.</li>
<li>The request includes the victim's task ID and arbitrary data intended to overwrite the original <code>submission</code> (<code>verzonden_data</code>).</li>
<li>The NL Portal backend, specifically the <code>nl.nlportal.zgw.taak.service.TaakService.submitTaakV2</code> resolver, processes the request without verifying if the task belongs to the authenticated user.</li>
<li>The backend transitions the identified task to the <code>AFGEROND</code> (completed) state and overwrites the <code>record.data.portaalformulier.verzondenData</code> with the attacker's supplied input.</li>
<li>The attacker receives the GraphQL response, which includes the entire task object, inadvertently exposing the legitimate owner's previously entered form data (confidentiality impact).</li>
<li>The victim's task data is tampered with, its integrity is compromised, and their private information is leaked to the attacker.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability significantly impacts both the integrity and confidentiality of user data within the NL Portal. Attackers can unilaterally mark other users' tasks as complete, regardless of their actual status, disrupting legitimate workflows. More critically, they can overwrite the data submitted with these tasks, leading to data corruption and potentially severe consequences depending on the nature of the forms. Furthermore, the attacker gains unauthorized access to sensitive personal data that other users had previously entered into their forms, violating privacy and potentially leading to further exploitation or identity theft. All users of NL Portal Taak versions 1.5.0 through 3.0.0 are at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade NL Portal Taak to version <strong>3.0.1</strong> or later to address <strong>CVE-2026-49464</strong>.</li>
<li>As a temporary workaround, block the <code>submitTaakV2</code> GraphQL mutation at your API gateway as described in the brief.</li>
<li>Alternatively, restrict access to the <code>/graphql</code> endpoint to trusted networks only until the upgrade for <strong>CVE-2026-49464</strong> can be applied.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>idor</category><category>graphql</category><category>data-tampering</category><category>data-leakage</category><category>authentication-bypass</category><category>cve</category></item></channel></rss>