Information disclosure via histories GraphQL field
Summary
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to. A flaw was found in AFFiNE. This vulnerability allows an authenticated workspace member to bypass document read permissions by supplying arbitrary document Globally Unique Identifiers (GUIDs) to the histories GraphQL field. This Moderate impact information disclosure flaw in AFFiNE allows authenticated workspace members to bypass document read permissions. This issue primarily affects deployments of AFFiNE and does not directly impact Red Hat products. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). Weakness: CWE-639. Red Hat lists Red Hat AI Inference Server; Red Hat Enterprise Linux AI (RHEL AI) 3; Red Hat OpenShift AI (RHOAI) as not affected.
Mitigation
Mitigation steps weren't captured by the parser for this advisory — this is a parsing gap, not a statement that no fix exists. Read the vendor advisory below for the authoritative guidance.
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.