Login Sign Up

CVE-2026-2076

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes an improper authorization vulnerability in the yeqifu warehouse user management endpoints (addUser/updateUser/deleteUser). Attackers can remotely exploit this to perform unauthorized user management operations. Organizations using yeqifu warehouse with the vulnerable component are affected.

💻 Affected Systems

Products:
  • yeqifu warehouse
Versions: All versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4
Operating Systems: Any OS running the Java application
Default Config Vulnerable: ⚠️ Yes
Notes: Continuous delivery with rolling releases means no specific version numbers are available. All deployments using the vulnerable code commit are affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user management system allowing attackers to create, modify, or delete any user account, potentially gaining administrative privileges or disrupting authentication systems.

🟠

Likely Case

Unauthorized user account manipulation leading to privilege escalation, account takeover, or denial of service through user deletion.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls, though the vulnerability still exists in the application layer.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and a public exploit exists, making internet-facing instances particularly vulnerable to automated attacks.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but network segmentation and internal controls provide some protection.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

The exploit has been made publicly available and targets specific user management endpoints. Some level of access to the application is required, but not necessarily authentication to the vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor has not responded to issue report

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Monitor the GitHub repository for patches or updates. 2. If a fix is released, update to the latest version. 3. Restart the application after updating.

🔧 Temporary Workarounds

Network Access Control

all

Restrict network access to the user management endpoints to authorized IP addresses only.

Use firewall rules to restrict access to /api/user/* endpoints

Application Layer Filtering

all

Implement additional authorization checks at the web server or reverse proxy level.

Configure web server (nginx/apache) to require authentication for user management endpoints

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the warehouse application from untrusted networks
  • Deploy a web application firewall (WAF) with rules to detect and block unauthorized user management requests

🔍 How to Verify

Check if Vulnerable:

Check if your deployment uses code from commit aaf29962ba407d22d991781de28796ee7b4670e4 or earlier in the UserController.java file

Check Version:

git log --oneline -1 (to check current commit hash in the repository)

Verify Fix Applied:

Verify that the authorization checks in UserController.java have been properly implemented and test user management endpoints with unauthorized requests

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /api/user/add, /api/user/update, /api/user/delete endpoints
  • Unexpected user creation/modification/deletion events

Network Indicators:

  • HTTP requests to user management endpoints from unauthorized sources
  • Unusual patterns of user management API calls

SIEM Query:

source="application.log" AND (uri_path="/api/user/add" OR uri_path="/api/user/update" OR uri_path="/api/user/delete") AND NOT user_role="admin"

📊 Metadata

CVE ID: CVE-2026-2076
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.06% exploit probability (19.8th percentile)
Published: February 7, 2026
Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2076, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)