Authorization Bypass in ON24 Q&A chat
The Q&A chat of ON24.
INCIBE has coordinated the publication of a high severity vulnerability affecting the Q&A chat of ON24, an engagement platform. The vulnerability was discovered by Samuel de Lucas Maroto.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2026-3321: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N | CWE-639
There is no reported solution at this time.
CVE-2026-3321: a vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-3321 | Alta | No | On24 |
