CVE-2026-2174 – CVE-2026-2174 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2026-2174?

CVE-2026-2174 has a CVSS score of 7.3 (HIGH). CVE-2026-2174 is an authentication bypass vulnerability in code-projects Contact Management System 1.0 that allows attackers to manipulate CRUD endpoint ID parameters to access unauthorized functionality. This affects all installations of version 1.0, enabling remote attackers to potentially access, modify, or delete contact data without proper credentials.

📋 TL;DR

CVE-2026-2174 is an authentication bypass vulnerability in code-projects Contact Management System 1.0 that allows attackers to manipulate CRUD endpoint ID parameters to access unauthorized functionality. This affects all installations of version 1.0, enabling remote attackers to potentially access, modify, or delete contact data without proper credentials.

💻 Affected Systems

Products:

code-projects Contact Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No specific OS requirements mentioned.

📦 What is this software?

Contact Management System by Fabian

View all CVEs affecting Contact Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation leading to data exfiltration, unauthorized data modification, or system takeover.

🟠

Likely Case

Unauthorized access to contact management data including viewing, editing, or deleting sensitive contact information.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote exploitation possible without authentication. Specific exploit details not publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict access to the Contact Management System to trusted IP addresses only

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

Web Application Firewall

all

Implement WAF rules to block suspicious ID parameter manipulation

🧯 If You Can't Patch

Isolate the system in a segmented network with strict access controls
Implement additional authentication layer or API gateway with proper validation

🔍 How to Verify

Check if Vulnerable:

Test CRUD endpoints with manipulated ID parameters to see if authentication is bypassed

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that manipulated ID parameters no longer bypass authentication

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to CRUD endpoints
Failed authentication attempts followed by successful unauthorized access

Network Indicators:

Unusual traffic to CRUD endpoints from untrusted sources

SIEM Query:

source="web_logs" AND (uri="*/crud/*" OR uri="*/api/*") AND (status=200 OR status=201) AND NOT (user!="anonymous" OR auth_success="true")

📊 Metadata

CVE ID: CVE-2026-2174

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-287

EPSS Score: 0.09% exploit probability (26.1th percentile)

Published: February 8, 2026

Last Updated: February 11, 2026

🔗 References

https://code-projects.org/ Product
https://vuldb.com/?ctiid.344875 Permissions Required,VDB Entry
https://vuldb.com/?id.344875 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.749262 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2174, you might also want to check these: