Vulnerability Description
Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-44678?
CVE-2026-44678 is a documented vulnerability. Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID wit...
How severe is CVE-2026-44678?
CVSS scoring is not yet available for CVE-2026-44678. Check NVD for updates.
Is there a patch for CVE-2026-44678?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.