CVE-2026-25699: Apache Answer Authorization Bypass Exposes Private Content
Apache Answer versions up to 2.0.0 contain an authorization bypass in timeline-related APIs that allows any authenticated user to view content they shouldn't have access to—including deleted items, private submissions, and unapproved materials, along with their full revision history. An attacker with a regular user account can exploit this by directly calling these APIs without needing elevated privileges. The vendor has released version 2.0.1 to address the flaw.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-359
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient authorization validation in Apache Answer's timeline APIs. While the APIs require authentication (ruling out anonymous access), they fail to enforce proper permission checks before returning sensitive data. This allows an authenticated attacker to enumerate and retrieve deleted, private, or unpublished content and track all historical changes to that content. The issue affects Apache Answer through version 2.0.0 and is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor).
Business impact
Organizations deploying Apache Answer face a confidentiality breach risk. Users' private submissions, deleted content, and internal revision histories become visible to any employee or contractor with basic system access. This exposure could compromise sensitive information sharing, internal deliberations, or draft content that was never intended for publication. While integrity and availability remain unaffected, the information disclosure could damage trust and create compliance liabilities depending on the nature of exposed data and applicable regulations.
Affected systems
The vulnerability affects Apache Answer versions 2.0.0 and earlier. Organizations running any version at or below 2.0.0 should be considered at risk. Version 2.0.1 and later contain the necessary authorization fixes. No other Apache products or third-party integrations are mentioned as affected by this specific flaw.
Exploitability
Exploitation requires valid user credentials—an attacker cannot exploit this vulnerability anonymously. However, the barrier to entry is low: any authenticated user account (including low-privilege accounts) can trigger the unauthorized data access. The vulnerability requires user interaction (UI:R in the CVSS vector), likely meaning the attacker must craft API calls or use browser developer tools to access the timeline endpoints directly. The attack surface is network-accessible, and no special configuration or race conditions are needed, making it relatively straightforward to exploit once an attacker has valid credentials.
Remediation
Upgrade Apache Answer to version 2.0.1 or later immediately. The patch restores proper authorization checks to timeline-related APIs, ensuring that authenticated users can only access content they have explicit permission to view. Organizations unable to upgrade immediately should review access controls and audit logs to detect unauthorized data access. Consider restricting API access to trusted networks or implementing additional authentication layers until patching is complete.
Patch guidance
Apache Answer users should prioritize upgrading to version 2.0.1. Consult the official Apache Answer release notes and vendor advisory for any breaking changes or migration steps. Before deploying to production, test the upgrade in a staging environment to verify that legitimate timeline operations continue to function correctly and that no dependent integrations are disrupted. If immediate patching is not possible, document the risk and establish a remediation timeline.
Detection guidance
Monitor Apache Answer's timeline API endpoints for unusual access patterns, particularly requests from low-privilege accounts accessing content marked as private, deleted, or unapproved. Review API logs for calls to `/api/timeline/*` or similar endpoints from users who shouldn't have permission to that data. Audit the revision history API for systematic enumeration attempts. Check access logs for authenticated sessions making repeated requests to different content IDs in a short timeframe—a potential sign of automated exploitation. Implement alerting on failed authorization checks if your deployment includes detailed logging.
Why prioritize this
This vulnerability merits prompt attention due to its combination of easy exploitation (any authenticated user can trigger it), direct information disclosure impact, and potential for sensitive data exposure. The CVSS 6.1 MEDIUM score reflects the confidentiality breach risk, while the lack of authentication barriers and network accessibility increase practical urgency. Organizations where Apache Answer hosts sensitive discussions, drafts, or internal deliberations should prioritize this higher than the base score suggests.
Risk score, explained
The CVSS 3.1 score of 6.1 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects a network-accessible vulnerability with low attack complexity, no special privileges required, and user interaction needed. It assigns partial impact to confidentiality and integrity, with no availability impact. The score is reasonable given that exploitation requires valid credentials and user interaction, but security teams should weight their own risk higher if Apache Answer hosts highly sensitive content or if your environment grants broad user access to the platform.
Frequently asked questions
Can an unauthenticated user exploit this vulnerability?
No. The vulnerability requires a valid user account to access the Apache Answer instance. An attacker must first obtain legitimate credentials, either through social engineering, credential stuffing, or as an insider. Once authenticated, however, they can access restricted content without elevated privileges.
What types of content are at risk?
Any content marked as deleted, private, or unapproved—including draft submissions and full revision histories—is vulnerable to unauthorized viewing. The exact impact depends on the type of data your organization stores in Apache Answer and how you use privacy and approval workflows.
Does patching to 2.0.1 require downtime?
Consult the Apache Answer 2.0.1 release notes for upgrade procedures. Most patches can be applied during a maintenance window with brief downtime, though always test in a staging environment first to confirm compatibility with your deployment.
Is there evidence of active exploitation?
This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread active exploitation has been reported as of the publication date. However, the ease of exploitation means you should assume capable attackers will test for it once the flaw becomes public.
This analysis is based on the published CVE description and CVSS vector as of the modification date. For definitive patch status, compatibility information, and upgrade procedures, consult the official Apache Answer advisory and release notes. Organizations should conduct their own risk assessment based on deployment sensitivity and data classification. No exploit code or proof-of-concept details are provided herein. Verification of patch application and testing in a non-production environment are strongly recommended before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2020-25900MEDIUMHelloTalk Location Privacy Flaw – Unintended GPS Exposure
- CVE-2025-48977MEDIUMApache Ignite REST API Path Traversal – Authenticated File Read Vulnerability
- CVE-2026-25688MEDIUMApache Answer XSS Vulnerability in AI Response Rendering
- CVE-2026-29170MEDIUMApache HTTP Server FTP Proxy XSS Vulnerability
- CVE-2026-33582MEDIUMApache Answer TIFF Image DoS Vulnerability (Medium CVSS 6.5)
- CVE-2026-34031MEDIUMApache Answer Profile Image URL Validation Vulnerability
- CVE-2026-34033MEDIUMApache Answer XSS in Notification Emails – Vulnerability Explainer
- CVE-2026-34905MEDIUMApache Answer Unlisted Question Information Disclosure Vulnerability