CVE Catalog

CVE-2026-11764

LowCVSS 3.6
Published: Updated: Translated: NVD NIST

Summary

CVE-2026-11764 allows the export of secrets related to gift cards even if the user does not have permission to view them. This violates security principles as only the first letters of the gift card secret are displayed in the UI and API.

Risk Assessment

Organizations may be exposed to the disclosure of sensitive information related to gift cards, potentially leading to unauthorized access and abuse.

Recommendation

It is recommended to review and update data export mechanisms to ensure that users cannot access information they are not authorized to view.

Original NVD description (English source)

When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS