CVE-2026-2141 – This CVE describes an improper authorization vu... (How to Fix)

Q: What is the severity of CVE-2026-2141?

CVE-2026-2141 has a CVSS score of 6.3 (MEDIUM). This CVE describes an improper authorization vulnerability in WuKongOpenSource WukongCRM that allows attackers to bypass access controls via URL manipulation. Remote exploitation is possible, affecting all users of WukongCRM up to version 11.3.3. The vulnerability is in the gateway component's permission service implementation.

📋 TL;DR

This CVE describes an improper authorization vulnerability in WuKongOpenSource WukongCRM that allows attackers to bypass access controls via URL manipulation. Remote exploitation is possible, affecting all users of WukongCRM up to version 11.3.3. The vulnerability is in the gateway component's permission service implementation.

💻 Affected Systems

Products:

WuKongOpenSource WukongCRM

Versions: up to 11.3.3

Operating Systems: Any OS running WukongCRM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the gateway component's URL handler in PermissionServiceImpl.java

📦 What is this software?

Wukongcrm by 5kcrm

View all CVEs affecting Wukongcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized access to sensitive CRM data, modify user permissions, or perform administrative functions without proper authentication.

🟠

Likely Case

Unauthorized access to restricted functionality or data within the CRM system, potentially leading to data exposure or manipulation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still represents a security weakness.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details have been publicly released and remote exploitation is possible

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Consider upgrading to any version beyond 11.3.3 if released by vendor.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to WukongCRM gateway component to trusted IPs only

iptables -A INPUT -p tcp --dport [WUKONG_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [WUKONG_PORT] -j DROP

Web Application Firewall

all

Implement WAF rules to detect and block suspicious URL patterns targeting the gateway component

🧯 If You Can't Patch

Implement strict network segmentation to isolate WukongCRM from untrusted networks
Enable detailed logging and monitoring for unauthorized access attempts to gateway URLs

🔍 How to Verify

Check if Vulnerable:

Check WukongCRM version. If version is 11.3.3 or earlier, system is vulnerable.

Check Version:

Check application version in admin panel or deployment configuration

Verify Fix Applied:

Verify version is higher than 11.3.3 or test authorization controls for gateway URLs

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to gateway URLs
Failed authorization attempts followed by successful access
Requests bypassing normal authentication flows

Network Indicators:

Unusual traffic to gateway endpoints from unexpected sources
Patterns of URL manipulation attempts

SIEM Query:

source="wukongcrm" AND (url="*gateway*" OR url="*PermissionServiceImpl*") AND status="200" AND user="anonymous"

📊 Metadata

CVE ID: CVE-2026-2141

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.03% exploit probability (7.7th percentile)

Published: February 8, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/SourByte05/SourByte-Lab/issues/8 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.344776 Permissions Required,VDB Entry
https://vuldb.com/?id.344776 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.747264 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2141, you might also want to check these: