CVE-2026-12213 Overview
CVE-2026-12213 affects the hcengineering Huly Platform through version 0.7.0. The vulnerability resides in the getAccountInfo function within server/account/src/operations.ts, part of the User Information Handler component. The flaw allows improper authorization [CWE-266], enabling remote attackers with low privileges to access account information they should not be permitted to view. Public exploit details are available, and the vendor did not respond to disclosure attempts. The issue is tracked with an EPSS probability of 0.203%.
Critical Impact
Authenticated remote attackers can retrieve account information by abusing improper authorization checks in the getAccountInfo function, leading to unauthorized disclosure of user data.
Affected Products
- hcengineering Huly Platform versions up to and including 0.7.0
- Component: User Information Handler (server/account/src/operations.ts)
- Function: getAccountInfo
Discovery Timeline
- 2026-06-15 - CVE-2026-12213 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12213
Vulnerability Analysis
The vulnerability is an improper authorization flaw [CWE-266] in the Huly Platform account service. The getAccountInfo function in server/account/src/operations.ts handles requests for user account information but fails to enforce sufficient authorization checks on the caller. As a result, a low-privileged authenticated user can request account information belonging to other accounts. The attack is launched remotely over the network and requires no user interaction on the victim's side. Exploit details have been published, increasing the likelihood that opportunistic actors will incorporate the technique into reconnaissance against Huly deployments.
Root Cause
The root cause lies in the getAccountInfo operation, which trusts the requested account identifier without validating that the authenticated caller owns the account or holds an administrative role. The authorization check is either missing or implemented incorrectly, allowing privilege boundaries between distinct accounts to be crossed. This is a classic Conferred Privilege weakness, where a function exposes data without verifying the caller's right to access it.
Attack Vector
An attacker first authenticates to a Huly Platform instance using any valid low-privilege account. The attacker then issues a crafted request to the account service invoking getAccountInfo with a target identifier other than their own. The server returns the requested account information without rejecting the request. The vulnerability requires only network reachability to the Huly account service and a valid low-privilege session token.
No verified proof-of-concept code is published in the SentinelLabs dataset for this CVE. Refer to the VulDB CVE-2026-12213 entry and the VulDB Vulnerability #370855 record for further technical details.
Detection Methods for CVE-2026-12213
Indicators of Compromise
- Account service log entries showing getAccountInfo calls where the requested account identifier does not match the authenticated session identifier.
- Repeated getAccountInfo requests from a single authenticated session enumerating multiple account identifiers in sequence.
- Anomalous spikes in successful responses from the account service originating from non-administrative users.
Detection Strategies
- Instrument the account service to log the authenticated principal alongside the requested target identifier for each getAccountInfo invocation, then alert on mismatches.
- Add application-layer rules that flag enumeration patterns against server/account endpoints from a single source over short time windows.
- Correlate authentication logs with account-info access logs to identify low-privilege accounts retrieving data outside their scope.
Monitoring Recommendations
- Forward Huly Platform application and reverse-proxy logs to a centralized analytics platform and retain them for at least 90 days.
- Monitor outbound responses from the account service for unusually large payloads that may indicate bulk account data extraction.
- Track changes to server/account/src/operations.ts and related authorization middleware in source control to detect tampering or unauthorized modification.
How to Mitigate CVE-2026-12213
Immediate Actions Required
- Restrict network exposure of the Huly Platform account service so it is reachable only from trusted networks or via authenticated reverse proxies.
- Audit existing account-info access logs for requests where the caller and the queried account identifier differ.
- Rotate session tokens and credentials for any accounts that appear in suspicious access patterns.
Patch Information
As of the last NVD update on 2026-06-17, the vendor has not responded to disclosure and no official fix is referenced in the advisory. Track the VulDB CVE-2026-12213 entry and the upstream Huly Platform repository for a future patched release beyond 0.7.0.
Workarounds
- Place the account service behind a reverse proxy that enforces an additional authorization layer comparing the session principal to the requested account identifier.
- Apply a local patch to getAccountInfo in server/account/src/operations.ts that rejects requests when the authenticated user is neither the owner of the target account nor an administrator.
- Limit account creation to vetted users to reduce the pool of low-privilege accounts that could be abused to exploit the flaw.
# Example reverse-proxy guard (nginx) restricting getAccountInfo to internal callers
location /account/getAccountInfo {
allow 10.0.0.0/8;
deny all;
proxy_pass http://huly_account_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

