CVE-2026-40127 Overview
CVE-2026-40127 is an Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting OutSystems Lifetime. The flaw resides in handling of the ApplicationID parameter, which the application accepts without verifying that the requesting user has authorization to access the referenced object. Any authenticated user can manipulate the ApplicationID value to read the Change Log for arbitrary applications, exposing actions performed by other users and the application names of any application managed in the platform. The issue was resolved in OutSystems Lifetime version 11.28.2.3955.
Critical Impact
Authenticated users can read Change Log entries and application names for applications they should not have access to, exposing internal activity and the application inventory across tenants and teams.
Affected Products
- OutSystems Lifetime versions prior to 11.28.2.3955
- OutSystems Platform Server 11 deployments using the affected Lifetime component
- Self-managed OutSystems environments that have not applied the fixed Lifetime release
Discovery Timeline
- 2026-05-25 - CVE-2026-40127 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-40127
Vulnerability Analysis
OutSystems Lifetime is the centralized application lifecycle management console used to deploy, monitor, and audit applications across OutSystems environments. The Change Log feature records actions performed against each application, including who made the change and when. Access to a specific application's Change Log is gated by the ApplicationID parameter passed by the client.
The vulnerability is an Insecure Direct Object Reference (IDOR). The server trusts the user-supplied ApplicationID value and returns the corresponding Change Log without verifying that the authenticated principal has the role or team membership required to view that application. Any user with valid Lifetime credentials can substitute an arbitrary ApplicationID and retrieve audit data plus the application's display name.
While the disclosed scope is limited to read access against the Change Log and application metadata, the leaked information supports reconnaissance for follow-on attacks. Adversaries can enumerate the full application catalog, identify high-value targets, and profile maintenance windows by observing developer activity patterns.
Root Cause
The root cause is missing object-level authorization on the endpoint that serves Change Log data. The application relies on the ApplicationID supplied by the client as both the lookup key and the implicit authorization context, a pattern explicitly described by CWE-639: Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation requires only a valid authenticated session in Lifetime and the ability to issue HTTP requests to the Change Log endpoint. An attacker iterates the ApplicationID parameter across the expected identifier range and parses the responses to harvest Change Log entries and application names. No privilege escalation, social engineering, or user interaction is required. Because no verified public proof-of-concept is published, exploitation details are described in prose only. Refer to the CERT Polska advisory for additional technical context.
Detection Methods for CVE-2026-40127
Indicators of Compromise
- HTTP requests to Lifetime Change Log endpoints containing sequentially incrementing or fuzzed ApplicationID values from a single authenticated session.
- Unusually high request volume from a low-privileged Lifetime account against application audit endpoints within a short time window.
- Successful Change Log responses returned to users who have no team or role assignment for the referenced application.
Detection Strategies
- Review Lifetime web server access logs for non-administrative accounts requesting Change Log resources across many distinct ApplicationID values.
- Correlate Lifetime authentication events with application access requests to identify accounts touching applications outside their normal scope of work.
- Baseline each user's typical set of accessed applications and alert on deviations that resemble enumeration behavior.
Monitoring Recommendations
- Forward OutSystems Lifetime application and IIS logs to a centralized analytics platform for retention and correlation.
- Build alerts on enumeration patterns such as more than N unique ApplicationID values requested by one user within a defined interval.
- Periodically audit Lifetime team and role assignments to confirm that least-privilege is enforced for all human and service accounts.
How to Mitigate CVE-2026-40127
Immediate Actions Required
- Upgrade OutSystems Lifetime to version 11.28.2.3955 or later on all environments.
- Inventory all Lifetime accounts and disable or rotate credentials for stale, shared, or unknown users.
- Review historical access logs for evidence of ApplicationID enumeration prior to patching and treat exposed Change Log data as known to the actor.
Patch Information
OutSystems addressed CVE-2026-40127 in Lifetime version 11.28.2.3955. Download and release notes are available on the OutSystems Release Details page. Apply the update following the standard OutSystems platform upgrade procedure for the Lifetime component and validate that the version string reflects the fixed release after deployment.
Workarounds
- No vendor-supplied workaround replaces the patch. Restrict Lifetime network access to trusted administrative networks until the upgrade completes.
- Reduce the number of authenticated Lifetime users to the minimum required for operations to limit the population of accounts capable of triggering the issue.
- Enable verbose audit logging on Lifetime to retain evidence in the event that exploitation is later identified.
# Verify the installed OutSystems Lifetime version meets the fixed release
# Replace <lifetime-host> with the Lifetime server hostname
curl -sk https://<lifetime-host>/lifetime/ | grep -i "version"
# Expected: version string of 11.28.2.3955 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
