CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-5246 (GCVE-0-2026-5246)
Vulnerability from cvelistv5 – Published: 2026-04-02 09:45 – Updated: 2026-04-02 13:07 X_Open Source
VLAI
Title
Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization
Summary
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/354827 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/354827/cti | signaturepermissions-required |
| https://vuldb.com/submit/770104 | third-party-advisory |
| https://github.com/cesanta/mongoose/commit/0d882f… | patch |
| https://github.com/cesanta/mongoose/releases/tag/7.21 | patch |
| https://github.com/cesanta/mongoose/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cesanta | Mongoose |
Affected:
7.0
Affected: 7.1 Affected: 7.2 Affected: 7.3 Affected: 7.4 Affected: 7.5 Affected: 7.6 Affected: 7.7 Affected: 7.8 Affected: 7.9 Affected: 7.10 Affected: 7.11 Affected: 7.12 Affected: 7.13 Affected: 7.14 Affected: 7.15 Affected: 7.16 Affected: 7.17 Affected: 7.18 Affected: 7.19 Affected: 7.20 Unaffected: 7.21 cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5246",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T13:06:36.226342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:07:02.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*"
],
"modules": [
"P-384 Public Key Handler"
],
"product": "Mongoose",
"vendor": "Cesanta",
"versions": [
{
"status": "affected",
"version": "7.0"
},
{
"status": "affected",
"version": "7.1"
},
{
"status": "affected",
"version": "7.2"
},
{
"status": "affected",
"version": "7.3"
},
{
"status": "affected",
"version": "7.4"
},
{
"status": "affected",
"version": "7.5"
},
{
"status": "affected",
"version": "7.6"
},
{
"status": "affected",
"version": "7.7"
},
{
"status": "affected",
"version": "7.8"
},
{
"status": "affected",
"version": "7.9"
},
{
"status": "affected",
"version": "7.10"
},
{
"status": "affected",
"version": "7.11"
},
{
"status": "affected",
"version": "7.12"
},
{
"status": "affected",
"version": "7.13"
},
{
"status": "affected",
"version": "7.14"
},
{
"status": "affected",
"version": "7.15"
},
{
"status": "affected",
"version": "7.16"
},
{
"status": "affected",
"version": "7.17"
},
{
"status": "affected",
"version": "7.18"
},
{
"status": "affected",
"version": "7.19"
},
{
"status": "affected",
"version": "7.20"
},
{
"status": "unaffected",
"version": "7.21"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "the_evilsocket (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T09:45:11.602Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354827 | Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354827"
},
{
"name": "VDB-354827 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354827/cti"
},
{
"name": "Submit #770104 | Cesanta Mongoose 7.20 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/770104"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cesanta/mongoose/commit/0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cesanta/mongoose/releases/tag/7.21"
},
{
"tags": [
"product"
],
"url": "https://github.com/cesanta/mongoose/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-02T09:48:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5246",
"datePublished": "2026-04-02T09:45:11.602Z",
"dateReserved": "2026-03-31T14:45:56.419Z",
"dateUpdated": "2026-04-02T13:07:02.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5326 (GCVE-0-2026-5326)
Vulnerability from cvelistv5 – Published: 2026-04-02 10:45 – Updated: 2026-04-03 19:51 X_Freeware
VLAI
Title
SourceCodester Leave Application System User Information index.php authorization
Summary
A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used.
Severity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/354657 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/354657/cti | signaturepermissions-required |
| https://vuldb.com/submit/780773 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/insecure-d… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Leave Application System |
Affected:
1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5326",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T19:50:54.583688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T19:51:06.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"User Information Handler"
],
"product": "Leave Application System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in SourceCodester Leave Application System 1.0. Impacted is an unknown function of the file /index.php?page=manage_user of the component User Information Handler. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T10:45:10.736Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354657 | SourceCodester Leave Application System User Information index.php authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354657"
},
{
"name": "VDB-354657 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354657/cti"
},
{
"name": "Submit #780773 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780773"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-01T15:23:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Leave Application System User Information index.php authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5326",
"datePublished": "2026-04-02T10:45:10.736Z",
"dateReserved": "2026-04-01T13:18:37.607Z",
"dateUpdated": "2026-04-03T19:51:06.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5395 (GCVE-0-2026-5395)
Vulnerability from cvelistv5 – Published: 2026-05-14 06:44 – Updated: 2026-05-14 10:44
VLAI
Title
Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter
Summary
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.
Severity
8.2 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder |
Affected:
0 , ≤ 6.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:40:50.840347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:44:15.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "6.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sander Horsman"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T06:44:12.291Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd12b8a-2033-4236-abcd-2a8d08e7f099?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3507987/fluentform/trunk/app/Services/Transfer/TransferService.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-09T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-01T23:58:52.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T18:08:24.000Z",
"value": "Disclosed"
}
],
"title": "Fluent Forms \u003c= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via \u0027table\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5395",
"datePublished": "2026-05-14T06:44:12.291Z",
"dateReserved": "2026-04-01T23:36:22.038Z",
"dateUpdated": "2026-05-14T10:44:15.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5396 (GCVE-0-2026-5396)
Vulnerability from cvelistv5 – Published: 2026-05-14 05:30 – Updated: 2026-05-14 10:46
VLAI
Title
Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter
Summary
The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for.
Severity
8.2 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder |
Affected:
0 , ≤ 6.1.21
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:38:53.222379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:46:46.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "6.1.21",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sander Horsman"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions (read, modify, delete, add notes) based on a user-supplied `form_id` query parameter. This makes it possible for authenticated attackers, with Fluent Forms Manager access restricted to specific forms, to read, modify status, add notes to, and permanently delete form submissions belonging to any other form by spoofing the form_id parameter to a form they are authorized for."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T05:30:28.790Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81aad41e-0330-4dff-a5f8-08a108d724f5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/fluentform/tags/6.1.21/app/Http/Policies/SubmissionPolicy.php\u0026new_path=/fluentform/tags/6.2.0/app/Http/Policies/SubmissionPolicy.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-09T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-02T00:15:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T17:13:18.000Z",
"value": "Disclosed"
}
],
"title": "Fluent Forms \u003c= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via \u0027form_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5396",
"datePublished": "2026-05-14T05:30:28.790Z",
"dateReserved": "2026-04-01T23:59:10.834Z",
"dateUpdated": "2026-05-14T10:46:46.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5465 (GCVE-0-2026-5465)
Vulnerability from cvelistv5 – Published: 2026-04-07 06:43 – Updated: 2026-04-08 17:12
VLAI
Title
Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter
Summary
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account — including Administrator — by injecting an arbitrary `externalId` value when updating their own provider profile.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ameliabooking | Booking for Appointments and Events Calendar – Amelia |
Affected:
0 , ≤ 2.1.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:13:09.198377Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:13:24.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking for Appointments and Events Calendar \u2013 Amelia",
"vendor": "ameliabooking",
"versions": [
{
"lessThanOrEqual": "2.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is passed to `wp_set_password()` and `wp_update_user()` without authorization checks. This makes it possible for authenticated attackers, with Provider-level (Employee) access and above, to take over any WordPress account \u2014 including Administrator \u2014 by injecting an arbitrary `externalId` value when updating their own provider profile."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:12:58.210Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4204099-1065-4167-8b42-3da25945236c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Controller/User/Provider/UpdateProviderController.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L146"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.1.3/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php#L239"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3499608/ameliabooking/trunk/src/Application/Commands/User/Provider/UpdateProviderCommandHandler.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T06:43:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-06T18:13:11.000Z",
"value": "Disclosed"
}
],
"title": "Amelia \u003c= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via \u0027externalId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5465",
"datePublished": "2026-04-07T06:43:41.045Z",
"dateReserved": "2026-04-03T06:28:11.890Z",
"dateUpdated": "2026-04-08T17:12:58.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5617 (GCVE-0-2026-5617)
Vulnerability from cvelistv5 – Published: 2026-04-15 07:45 – Updated: 2026-04-15 16:13
VLAI
Title
Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie
Summary
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the "Return to Admin" functionality.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| royalnavneet | Login as User – Switch User & WooCommerce Login as Customer |
Affected:
0 , ≤ 1.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:32:27.091082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T16:13:15.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Login as User \u2013 Switch User \u0026 WooCommerce Login as Customer",
"vendor": "royalnavneet",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HA GIA BAO"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator\u0027s user ID and triggering the \"Return to Admin\" functionality."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T07:45:29.695Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0c74d48-6cfc-4899-bd2c-4a80b1f6e05f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/trunk/includes/class-login-handler.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L50"
},
{
"url": "https://wordpress.org/plugins/one-click-login-as-user/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-14T19:44:50.000Z",
"value": "Disclosed"
}
],
"title": "Login as User \u003c= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via \u0027oclaup_original_admin\u0027 Cookie"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5617",
"datePublished": "2026-04-15T07:45:29.695Z",
"dateReserved": "2026-04-05T15:42:32.653Z",
"dateUpdated": "2026-04-15T16:13:15.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5652 (GCVE-0-2026-5652)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:33 – Updated: 2026-04-21 17:22
VLAI
Title
Authorization Bypass Through User-Controlled Key in Crafty Controller
Summary
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Severity
9 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller |
Affected:
0 , ≤ 4.10.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5652",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:21:48.540617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:22:27.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Crafty Controller",
"vendor": "Arcadia Technology, LLC",
"versions": [
{
"lessThanOrEqual": "4.10.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:33:56.878Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 4.10.3"
}
],
"title": "Authorization Bypass Through User-Controlled Key in Crafty Controller"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-5652",
"datePublished": "2026-04-21T16:33:56.878Z",
"dateReserved": "2026-04-06T05:03:53.661Z",
"dateUpdated": "2026-04-21T17:22:27.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5750 (GCVE-0-2026-5750)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:25 – Updated: 2026-04-22 13:59
VLAI
Title
Insecure direct object reference (IDOR) vulnerability in Fullstep
Summary
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).
Severity
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.incibe.es/en/incibe-cert/notices/avis… | patch |
Impacted products
Date Public
2026-04-20 10:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:50:12.437860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:59:00.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fullstep",
"vendor": "Fullstep",
"versions": [
{
"status": "affected",
"version": "5"
},
{
"status": "unaffected",
"version": "5.30.07"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fullstep:fullstep:5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fullstep:fullstep:5.30.07:*:*:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alejandro Rivera Le\u00f3n"
}
],
"datePublic": "2026-04-20T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: \u0027/api/suppliers/v1/suppliers//false\u0027 to list user information; and \u0027/#/supplier-registration/supplier-registration//2\u0027 to update your user information (personal details, documents, etc.)."
}
],
"value": "An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: \u0027/api/suppliers/v1/suppliers//false\u0027 to list user information; and \u0027/#/supplier-registration/supplier-registration//2\u0027 to update your user information (personal details, documents, etc.)."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:25:26.449Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The vulnerability has been fixed by the Fullstep team in version 5.30.07, which has been available in production since January 29, 2026."
}
],
"value": "The vulnerability has been fixed by the Fullstep team in version 5.30.07, which has been available in production since January 29, 2026."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insecure direct object reference (IDOR) vulnerability in Fullstep",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-5750",
"datePublished": "2026-04-22T13:25:26.449Z",
"dateReserved": "2026-04-07T15:31:15.848Z",
"dateUpdated": "2026-04-22T13:59:00.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5798 (GCVE-0-2026-5798)
Vulnerability from cvelistv5 – Published: 2026-05-14 12:26 – Updated: 2026-05-14 13:48
VLAI
Title
Unsafe Object Reference (IDOR) vulnerability in Stel Order
Summary
Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.
Severity
CWE
- CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Stel Order | Stel Order |
Affected:
0 , ≤ 3.25.1
(custom)
|
Date Public
2026-05-14 10:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:48:08.950427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:48:15.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Stel Order",
"vendor": "Stel Order",
"versions": [
{
"lessThanOrEqual": "3.25.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:stel_order:stel_order:*:*:*:*:*:*:*:*",
"versionEndIncluding": "3.25.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Manuel Gomez Argando\u00f1a"
}
],
"datePublic": "2026-05-14T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the \u2018/app/FrontController\u2019 endpoint, through manipulation of the \u2018employeeID\u2019 parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server."
}
],
"value": "Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the \u2018/app/FrontController\u2019 endpoint, through manipulation of the \u2018employeeID\u2019 parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization bypass through User-Controlled key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T12:26:09.501Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unsafe Object Reference (IDOR) vulnerability in Stel Order",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2026-5798",
"datePublished": "2026-05-14T12:26:09.501Z",
"dateReserved": "2026-04-08T14:09:26.134Z",
"dateUpdated": "2026-05-14T13:48:15.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5842 (GCVE-0-2026-5842)
Vulnerability from cvelistv5 – Published: 2026-04-09 04:30 – Updated: 2026-04-13 19:59
VLAI
Title
decolua 9router Administrative API Endpoint api authorization
Summary
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
Severity
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/356298 | vdb-entry |
| https://vuldb.com/vuln/356298/cti | signaturepermissions-required |
| https://vuldb.com/submit/790003 | third-party-advisory |
| https://github.com/decolua/9router/issues/431 | issue-tracking |
| https://github.com/decolua/9router/issues/431#iss… | issue-tracking |
| https://github.com/deepcat1337/Free_Api_Exploit/t… | exploit |
| https://github.com/decolua/9router/releases/tag/v0.3.75 | patch |
| https://github.com/decolua/9router/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| decolua | 9router |
Affected:
0.3.0
Affected: 0.3.1 Affected: 0.3.2 Affected: 0.3.3 Affected: 0.3.4 Affected: 0.3.5 Affected: 0.3.6 Affected: 0.3.7 Affected: 0.3.8 Affected: 0.3.9 Affected: 0.3.10 Affected: 0.3.11 Affected: 0.3.12 Affected: 0.3.13 Affected: 0.3.14 Affected: 0.3.15 Affected: 0.3.16 Affected: 0.3.17 Affected: 0.3.18 Affected: 0.3.19 Affected: 0.3.20 Affected: 0.3.21 Affected: 0.3.22 Affected: 0.3.23 Affected: 0.3.24 Affected: 0.3.25 Affected: 0.3.26 Affected: 0.3.27 Affected: 0.3.28 Affected: 0.3.29 Affected: 0.3.30 Affected: 0.3.31 Affected: 0.3.32 Affected: 0.3.33 Affected: 0.3.34 Affected: 0.3.35 Affected: 0.3.36 Affected: 0.3.37 Affected: 0.3.38 Affected: 0.3.39 Affected: 0.3.40 Affected: 0.3.41 Affected: 0.3.42 Affected: 0.3.43 Affected: 0.3.44 Affected: 0.3.45 Affected: 0.3.46 Affected: 0.3.47 Unaffected: 0.3.75 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T19:59:13.122414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T19:59:23.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Administrative API Endpoint"
],
"product": "9router",
"vendor": "decolua",
"versions": [
{
"status": "affected",
"version": "0.3.0"
},
{
"status": "affected",
"version": "0.3.1"
},
{
"status": "affected",
"version": "0.3.2"
},
{
"status": "affected",
"version": "0.3.3"
},
{
"status": "affected",
"version": "0.3.4"
},
{
"status": "affected",
"version": "0.3.5"
},
{
"status": "affected",
"version": "0.3.6"
},
{
"status": "affected",
"version": "0.3.7"
},
{
"status": "affected",
"version": "0.3.8"
},
{
"status": "affected",
"version": "0.3.9"
},
{
"status": "affected",
"version": "0.3.10"
},
{
"status": "affected",
"version": "0.3.11"
},
{
"status": "affected",
"version": "0.3.12"
},
{
"status": "affected",
"version": "0.3.13"
},
{
"status": "affected",
"version": "0.3.14"
},
{
"status": "affected",
"version": "0.3.15"
},
{
"status": "affected",
"version": "0.3.16"
},
{
"status": "affected",
"version": "0.3.17"
},
{
"status": "affected",
"version": "0.3.18"
},
{
"status": "affected",
"version": "0.3.19"
},
{
"status": "affected",
"version": "0.3.20"
},
{
"status": "affected",
"version": "0.3.21"
},
{
"status": "affected",
"version": "0.3.22"
},
{
"status": "affected",
"version": "0.3.23"
},
{
"status": "affected",
"version": "0.3.24"
},
{
"status": "affected",
"version": "0.3.25"
},
{
"status": "affected",
"version": "0.3.26"
},
{
"status": "affected",
"version": "0.3.27"
},
{
"status": "affected",
"version": "0.3.28"
},
{
"status": "affected",
"version": "0.3.29"
},
{
"status": "affected",
"version": "0.3.30"
},
{
"status": "affected",
"version": "0.3.31"
},
{
"status": "affected",
"version": "0.3.32"
},
{
"status": "affected",
"version": "0.3.33"
},
{
"status": "affected",
"version": "0.3.34"
},
{
"status": "affected",
"version": "0.3.35"
},
{
"status": "affected",
"version": "0.3.36"
},
{
"status": "affected",
"version": "0.3.37"
},
{
"status": "affected",
"version": "0.3.38"
},
{
"status": "affected",
"version": "0.3.39"
},
{
"status": "affected",
"version": "0.3.40"
},
{
"status": "affected",
"version": "0.3.41"
},
{
"status": "affected",
"version": "0.3.42"
},
{
"status": "affected",
"version": "0.3.43"
},
{
"status": "affected",
"version": "0.3.44"
},
{
"status": "affected",
"version": "0.3.45"
},
{
"status": "affected",
"version": "0.3.46"
},
{
"status": "affected",
"version": "0.3.47"
},
{
"status": "unaffected",
"version": "0.3.75"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "cyberthoth (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T04:30:17.225Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-356298 | decolua 9router Administrative API Endpoint api authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/356298"
},
{
"name": "VDB-356298 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/356298/cti"
},
{
"name": "Submit #790003 | 9Router Router 0.3.47-0.3.32 Authorization Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/790003"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/decolua/9router/issues/431"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/decolua/9router/issues/431#issuecomment-4140163867"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/deepcat1337/Free_Api_Exploit/tree/main"
},
{
"tags": [
"patch"
],
"url": "https://github.com/decolua/9router/releases/tag/v0.3.75"
},
{
"tags": [
"product"
],
"url": "https://github.com/decolua/9router/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-08T19:48:54.000Z",
"value": "VulDB entry last update"
}
],
"title": "decolua 9router Administrative API Endpoint api authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5842",
"datePublished": "2026-04-09T04:30:17.225Z",
"dateReserved": "2026-04-08T17:43:46.180Z",
"dateUpdated": "2026-04-13T19:59:23.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Phases: Architecture and Design, Implementation
Description:
- Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Phase: Architecture and Design
Description:
- Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.