CVE-2026-34905: Apache Answer Unlisted Question Information Disclosure Vulnerability
Apache Answer versions up to 2.0.0 contain a flaw where unlisted questions—content intended to be hidden from public view—can be discovered and read by any authenticated user through direct API calls. The vulnerability bypasses the access controls meant to keep these questions private, exposing not only the questions themselves but also their answers, comments, and revision history to users who should not have permission to see them.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-34905 is an information disclosure vulnerability in Apache Answer stemming from inadequate authorization checks on API endpoints that handle unlisted questions. While the web interface may respect access restrictions, the underlying API does not properly validate whether a logged-in user has permission to retrieve unlisted question content. An authenticated attacker can directly query these endpoints to enumerate and access restricted content, including associated answers, comments, and historical revisions. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3.1 score of 6.5 (Medium severity) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact but no integrity or availability risk.
Business impact
For organizations operating private or semi-private knowledge bases, Q&A platforms, or documentation systems on Apache Answer, this vulnerability poses a risk of unintended information leakage. Content that was deliberately marked unlisted—potentially containing draft discussions, sensitive internal questions, or restricted knowledge—becomes accessible to any user with a login. Depending on deployment context, this could expose competitive strategy discussions, internal troubleshooting, security-adjacent inquiries, or other confidential content to broader sets of internal or partner users than intended.
Affected systems
Apache Answer versions through 2.0.0 are affected. Organizations running version 2.0.0 or earlier should assume they are vulnerable. The fix is available in version 2.0.1 and later.
Exploitability
Exploitation requires authentication—the attacker must possess valid login credentials. Once authenticated, the attack requires no user interaction, no special network positioning, and trivial technical effort: direct API calls to retrieve unlisted question IDs and their metadata. The barrier to exploitation is low because API endpoints are network-accessible and do not require privilege escalation or complex payloads. This makes the vulnerability practically exploitable by any internal user or account-holder with basic familiarity of REST APIs.
Remediation
Upgrade Apache Answer to version 2.0.1 or later. This version enforces proper authorization checks on the API endpoints that serve unlisted question content. Organizations should prioritize this patch for environments where unlisted questions are used to protect sensitive or restricted information.
Patch guidance
Verify and apply Apache Answer version 2.0.1 or later from the official Apache Answer release channels. Review your deployment's version number before patching to ensure you are moving from a vulnerable version. Test the patch in a non-production environment first to confirm API behavior and any integration points remain functional. After patching, verify that unlisted questions are no longer accessible to unauthorized users by testing with a non-admin account.
Detection guidance
Monitor API access logs for requests to question endpoints (particularly GET or read operations) made by users who should not have access to unlisted content. Look for patterns such as enumeration of question IDs, repeated API calls to /api/question or similar paths, or access to questions marked as unlisted. If available, inspect API gateway or application firewall logs for anomalous authentication patterns. Conduct a manual audit of unlisted questions in production systems running version 2.0.0 or earlier to determine if any have been accessed by unauthorized accounts (if audit trails are available). Also review user access logs to identify which users have interacted with APIs and cross-reference with question permissions.
Why prioritize this
Although the CVSS score is Medium (6.5), this vulnerability should be prioritized because it directly compromises the confidentiality of content explicitly marked as private or restricted. The ease of exploitation (no user interaction required, authenticated access only) combined with the intentional use case of unlisted questions makes this a practical information leakage risk. Organizations relying on unlisted content for sensitive discussions should treat this as higher urgency.
Risk score, explained
The CVSS v3.1 score of 6.5 reflects high confidentiality impact (C:H) balanced against the requirement for prior authentication (PR:L) and the absence of integrity or availability impacts. The score appropriately captures a scenario where sensitive information is exposed but the system continues to function and no data modification occurs. However, context matters: if unlisted questions are used to store compliance, security, or business-critical information, the risk profile is elevated beyond the numeric score.
Frequently asked questions
Can unauthenticated users exploit this vulnerability?
No. The vulnerability requires valid login credentials. An attacker must first be an authenticated user of the Apache Answer instance.
Will patching to 2.0.1 affect my unlisted questions or require migration?
Patching to 2.0.1 adds proper access controls to existing unlisted questions; it does not delete or modify them. No data migration is required, only the authorization enforcement is improved.
How can I check if this vulnerability has been exploited in my environment?
Review API access logs and question access audit trails (if enabled) for your Apache Answer instance running version 2.0.0 or earlier. Look for unauthorized API requests to unlisted question endpoints or downloads. Also verify which users have viewed or accessed unlisted content.
Does this affect only the API, or is the web interface also vulnerable?
The vulnerability is in the API endpoints. The web interface may display proper access restrictions, but direct API calls bypass those restrictions. Ensure all API clients and integrations respect the patched authorization rules after upgrade.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The information is based on publicly disclosed CVE data and vendor advisories. No exploit code or proof-of-concept is provided. Organizations must verify compatibility, test patches in non-production environments, and consult official Apache Answer documentation and vendor advisories before applying any updates. SEC.co assumes no liability for operational or deployment decisions made based on this analysis. Always validate vendor patch guidance independently. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42358MEDIUMApache Airflow Secret Masking Bypass for Deeply Nested JSON Variables
- CVE-2026-42360MEDIUMApache Airflow Nested Template Secret Masking Bypass
- CVE-2026-45192MEDIUMApache Airflow Connection API Credential Leak – CVSS 6.5
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-11162MEDIUMChrome CSS Cross-Origin Data Leak Vulnerability
- CVE-2026-11168MEDIUMChrome Extension Memory Disclosure Vulnerability