CVE-2026-44678 HIGH

CVE-2026-44678: Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID

Vendor Tuist
Product tuist
Weakness CWE-639 · IDOR
Published May 14, 2026
Last update May 16, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 16, 2026 Record updated