External risk intelligence

Comet Backup vulnerability lets attackers access customer data and control services.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-29200

A critical flaw in Comet Backup allows any administrator to access or control other customers' data. This vulnerability is exposed via the internet and could impact many users.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-29200

Comet Backup is a server-based application featuring a web-accessible API for management. These platforms are commonly deployed as internet-facing services to allow remote administration and multi-tenant access, making the API surface readily reachable from the public internet in typical deployment scenarios.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Comet Backup allows any tenant administrator to impersonate any end-user from another tenant on the same server. This means one administrator could access or control accounts belonging to users in entirely different organizations using the software.

  • Tenant administrators can access other tenants' data.
  • A wide range of users could be affected.
  • The issue is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker could abuse this IDOR vulnerability by impersonating any end-user account on a Comet Backup server. This allows them to access or manipulate data belonging to other tenants that they would not normally have access to.

  • Vulnerable API call exploited.
  • Requires tenant administrator access.
  • Affects shared Comet Backup servers.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely target this critical IDOR vulnerability because it allows for tenant impersonation via an API, which is a common and effective attack vector. The vulnerability impacts all versions and provides direct access to sensitive user data.

  • Public exploit code is not yet observed.
  • Comet Backup has known internet-facing deployments.
  • The vulnerability allows for privilege escalation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation for any signs of unauthorized access or administrative impersonation within your Comet Backup environment, given the critical IDOR vulnerability. Focus on identifying and isolating potentially compromised tenant administrator accounts, and review all API call logs for suspicious activity.

  • Block API endpoints used in attack.
  • Monitor for unusual tenant administrator activity.
  • Update Comet Backup to a patched version.

Frequently asked questions

What is the main security issue in Comet Backup versions 20.11.0 through 26.2.1?

A critical IDOR (Insecure Direct Object Reference) vulnerability allows a tenant administrator to impersonate any end-user from other tenants on the same server. This enables unauthorized access to data and control over services of other organizations using the software.

How can an attacker exploit the weakness in Comet Backup?

The weakness is a CWE-639, a type of IDOR vulnerability, where a tenant administrator can exploit a vulnerable API call to impersonate other end-users. This requires the attacker to have tenant administrator access within the affected Comet Backup environment.

What is the attack path and scope of this Comet Backup vulnerability?

The vulnerability is reachable via a network without any user interaction or privileges required for initial access, enabling an attacker to impersonate any end-user account. This affects shared Comet Backup servers and could impact a wide range of users by allowing access to other tenants' data.

What is the relevance of this vulnerability, and why is it likely to be targeted?

This critical IDOR vulnerability is highly relevant due to its potential for tenant impersonation via an API, a common and effective attack vector. Comet Backup servers are often internet-facing, making the vulnerability accessible. Public exploit code is not yet observed, but attackers may target it for direct access to sensitive user data.

What actions should be taken to address the Comet Backup vulnerability?

Immediately investigate your Comet Backup environment for unauthorized access or administrative impersonation. Monitor for unusual tenant administrator activity, review API call logs for suspicious actions, and prioritize updating Comet Backup to a patched version. Blocking the specific API endpoints used in the attack is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified