Full Report
Authorization Bypass Through User-Controlled Key vulnerability (CVE-2026-40127) has been found in OutSystems Lifetime software.
Analysis Summary
# Vulnerability: OutSystems LifeTime Authorization Bypass via ApplicationID
## CVE Details
- **CVE ID:** CVE-2026-40127
- **CVSS Score:** Not explicitly provided in source (Typical range for this flaw type is Medium to High)
- **CWE:** CWE-639: Authorization Bypass Through User-Controlled Key
## Affected Systems
- **Products:** OutSystems LifeTime (The centralized management console for OutSystems environments).
- **Versions:** All versions prior to 11.28.2.3955.
- **Configurations:** Standard deployments where the LifeTime management interface is accessible to authenticated users.
## Vulnerability Description
A vulnerability exists in OutSystems LifeTime due to insufficient validation of the `ApplicationID` parameter. This is a classic Insecure Direct Object Reference (IDOR) or "User-Controlled Key" flaw. Even if a user does not have the necessary permissions to view specific application data, they can manipulate the `ApplicationID` parameter in requests to bypass authorization logic.
Specifically, this flaw allows an authenticated attacker to access the **Change Log**, which reveals actions performed by other administrators/users and the names of any application within the environment, regardless of the attacker's assigned permissions.
## Exploitation
- **Status:** Not reported as exploited in the wild; coordinated disclosure.
- **Complexity:** Low (Requires simple manipulation of an ID parameter).
- **Attack Vector:** Network (Authenticated web interface).
## Impact
- **Confidentiality:** Partial (Exposure of sensitive audit logs, user actions, and application metadata/names).
- **Integrity:** None (The exploit described is read-only).
- **Availability:** None.
## Remediation
### Patches
The vendor has released a fix. Users should update to the following version or later:
- **OutSystems LifeTime version 11.28.2.3955**
### Workarounds
No specific configuration workarounds were provided in the advisory; updating to the patched version is the recommended course of action.
## Detection
- **Indicators of compromise:** Audit logs showing a single user account requesting `ApplicationID` values that do not correspond to their assigned projects or roles.
- **Detection methods and tools:** Web Application Firewalls (WAF) or Log Analysis tools can be configured to monitor for unusual patterns of sequential or unauthorized `ApplicationID` access within LifeTime management URLs.
## References
- **Vendor Advisory:** hxxps[://]www[.]outsystems[.]com/
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/05/vulnerability-in-lifetime-software/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-40127
- **CWE-639 Definition:** hxxps[://]cwe[.]mitre[.]org/data/definitions/639[.]html