MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier. An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
History

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Mycomplianceoffice
Mycomplianceoffice mco
Vendors & Products Mycomplianceoffice
Mycomplianceoffice mco

Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Description MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier. An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Title Insecure Direct Object Reference in MCO
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2026-07-01T11:58:36.922Z

Updated: 2026-07-01T13:42:31.836Z

Reserved: 2026-06-11T07:44:52.179Z

Link: CVE-2026-53903

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.