CVE-2026-40127

EUVD-2026-31662
OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application.

This issue was fixed in OutSystems Lifetime version 11.28.2.3955
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Common Weakness Enumeration
References
https://cert.pl/en/posts/2026/05/CVE-2026-40126/
https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime