CVE-2026-49463

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries

Impact

In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user:

  • Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has lacked an authentication parameter since the initial commit of the project (2022-11-22) — so every version of nl.nl-portal:documenten-api ever published is affected (the earliest one on Maven Central is 0.2.2.RELEASE, published 2023-08-31).
  • Decisions (besluiten). A logged-in user could list, search, and read decision records — including their audit trails and the documents attached to them — for any user. The list query also accepted filters (decision type, identification, responsible organisation, related case), which made it easy to enumerate decisions across the user base. The besluiten module was introduced in the 1.5.x release line (commit 9229460b, 2024-08-19), so versions of nl.nl-portal:besluiten from 1.5.0 through 3.0.0 are affected.

Decisions and their attachments often contain sensitive personal data (decisions on benefits, permits, objections, and similar), so the confidentiality impact is high. The two endpoints also chain naturally: once an attacker has discovered another user's document IDs by enumerating decisions, they can pull those documents' contents through the document endpoint.

Why these two findings are reported together

They share the same root cause and the same shape. Both GraphQL resolvers were declared without an authentication parameter on the method signature, which meant the framework never bound the authenticated user into the resolver and the resolver therefore could not perform per-user authorization checks. The fix pattern is the same — bind the authenticated principal into the resolver, or remove the resolver entirely. And in practice the two endpoints reinforce each other as a chain (enumerate via decisions, exfiltrate via documents), so they describe a single end-to-end weakness in the GraphQL surface.

Patches

Upgrade to 3.0.1 or later.

  • nl.nl-portal:documenten-api — the resolver now declares the authentication parameter, so the framework binds the authenticated user into the call path. Fix commit: 32e0ebdf — "Add auth on DocumentContentQuery.kt".
  • nl.nl-portal:besluiten — the entire besluiten module is removed in 3.0.1. Consumers who rely on the besluiten functionality must implement a replacement at the application layer with explicit per-user authorization on every resolver before upgrading. Fix commit: f592af1b — "Removal of Besluiten API".

Workarounds

For deployments that cannot upgrade immediately:

  • Block the following GraphQL operations at the API gateway: getDocumentContent, getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument.
  • If per-operation blocking is not possible, block the besluiten module's GraphQL types entirely and block the document-content query.

Technical details

  • nl.nlportal.documentenapi.graphql.DocumentContentQuery.getDocumentContent(documentApi, id) did not declare a CommonGroundAuthentication parameter on the resolver. The authenticated principal was therefore not bound into the call path and document content could be retrieved without the resolver participating in user-scoped authorization. Patched by adding authentication: CommonGroundAuthentication to the resolver signature, so Spring's argument resolution rejects unauthenticated invocations of the query.
  • nl.nlportal.besluiten.graphql.BesluitenQuery exposed six GraphQL operations — getBesluiten, getBesluit, getBesluitAuditTrails, getBesluitAuditTrail, getBesluitDocumenten, getBesluitDocument — none of which declared a CommonGroundAuthentication parameter. In particular, getBesluiten accepted filter arguments (besluitType, identificatie, verantwoordelijkeOrganisatie, zaak, pageNumber) but performed no user scoping, allowing callers to enumerate besluit records across users. The point-lookup operations (getBesluit, getBesluitAuditTrail, getBesluitDocument) returned data for any UUID without ownership checks. The fix is the removal of BesluitenQuery, BesluitenAutoConfiguration, and the integration test, and the autoconfiguration entry has been unwired from the application defaults.

Credits

Discovered during the nl-portal-backend-libraries penetration testing engagement (phase 1, May 2026). Vendor attribution to be added before publication.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
KEV
Not listed

Published

July 8, 2026

Last Modified

July 8, 2026

Vendor Advisories for CVE-2026-49463(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 6× in last 7d / 7× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 06:31 UTCEG score recompute
  2. 2026-07-14 05:03 UTCEG score recompute
  3. 2026-07-13 03:36 UTCEG score recompute
  4. 2026-07-12 02:09 UTCEG score recompute
  5. 2026-07-11 00:42 UTCEG score recompute
  6. 2026-07-09 23:14 UTCEG score recompute
  7. 2026-07-08 21:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49463?
CVE-2026-49463 is a medium vulnerability published on July 8, 2026. NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: Document content. A logged-in…
When was CVE-2026-49463 disclosed?
CVE-2026-49463 was first published in the National Vulnerability Database on July 8, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49463?
CVE-2026-49463 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49463?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49463, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49463

Explore →

Is Your Infrastructure Affected by CVE-2026-49463?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.