Incorrect authorisation in Adiss’s Biloop

Posted date 06/07/2026
Identificador
INCIBE-2026-471
Importance
5 - Critical
Affected Resources

Biloop, version 6.1.1.

Description

INCIBE ha coordinado la publicación de una vulnerabilidad de severidad crítica que afecta a Biloop de Adiss, plataforma y portal digital de cliente diseñado para despachos profesionales, asesorías y sus clientes. La vulnerabilidad ha sido descubierta por Jean-Michel Junod.

A esta vulnerabilidad se le ha asignado el siguiente código, puntuación base CVSS v4.0, vector del CVSS y el tipo de vulnerabilidad CWE:

  • CVE-2026-12686: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N | CWE-639
Solution

The vulnerability has now been fixed, so we recommend updating to the latest available version.

Detail

CVE-2026-12686: An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.

CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-12686 Crítica No Adiss
References list