Incorrect authorisation in Adiss’s Biloop
Biloop, version 6.1.1.
INCIBE ha coordinado la publicación de una vulnerabilidad de severidad crítica que afecta a Biloop de Adiss, plataforma y portal digital de cliente diseñado para despachos profesionales, asesorías y sus clientes. La vulnerabilidad ha sido descubierta por Jean-Michel Junod.
A esta vulnerabilidad se le ha asignado el siguiente código, puntuación base CVSS v4.0, vector del CVSS y el tipo de vulnerabilidad CWE:
- CVE-2026-12686: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N | CWE-639
The vulnerability has now been fixed, so we recommend updating to the latest available version.
CVE-2026-12686: An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-12686 | Crítica | No | Adiss |



