Login Sign Up

CVE-2026-2105

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE-2026-2105 vulnerability allows unauthorized users to manipulate department management functions (add, update, delete) in yeqifu warehouse software due to improper authorization checks. Attackers can exploit this remotely to modify organizational structures without proper permissions. All deployments using affected versions of yeqifu warehouse are vulnerable.

💻 Affected Systems

Products:
  • yeqifu warehouse
Versions: All versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: This is a rolling release project, so specific version numbers are not available. All deployments using code from the affected commit or earlier are vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could completely restructure organizational departments, delete critical departments, or create malicious departments to disrupt business operations and access control systems.

🟠

Likely Case

Unauthorized users gain department management privileges, allowing them to modify organizational structures, potentially leading to privilege escalation or business process disruption.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact would be limited to authorized users only, preventing external exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available in GitHub issues. Attack requires some authentication but bypasses authorization checks for department management functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor GitHub repository for security patches
2. Apply any security updates when available
3. Restart the warehouse application after patching

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to the warehouse application to trusted networks only

Authentication Enhancement

all

Implement additional authentication layers or rate limiting on department management endpoints

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to the warehouse application
  • Add application-level authorization checks or web application firewall rules to block unauthorized department management requests

🔍 How to Verify

Check if Vulnerable:

Check if your deployment uses yeqifu warehouse code from commit aaf29962ba407d22d991781de28796ee7b4670e4 or earlier

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify that authorization checks are properly implemented in DeptController.java for addDept, updateDept, and deleteDept functions

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /dept endpoints
  • Multiple department modification requests from single user
  • Department changes from non-admin users

Network Indicators:

  • HTTP POST/PUT/DELETE requests to department management endpoints from unauthorized sources

SIEM Query:

source="warehouse" AND (uri_path="/dept/add" OR uri_path="/dept/update" OR uri_path="/dept/delete") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2026-2105
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.06% exploit probability (19.8th percentile)
Published: February 7, 2026
Last Updated: February 9, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2105, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)