CVE-2026-3185
📋 TL;DR
This CVE describes an authorization bypass vulnerability in the sz-boot-parent framework's API endpoint. Attackers can manipulate the messageId parameter to access messages belonging to other users without proper authorization. All systems running affected versions of sz-boot-parent are vulnerable to this IDOR (Insecure Direct Object Reference) attack.
💻 Affected Systems
- feiyuchuixue sz-boot-parent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive messages belonging to any user, potentially exposing confidential information, personal data, or internal communications.
Likely Case
Unauthorized access to other users' messages, leading to data leakage and privacy violations.
If Mitigated
With proper authorization checks, users can only access their own messages as intended.
🎯 Exploit Status
Exploit requires authentication but bypasses authorization checks. Public exploit documentation exists on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3-beta
Vendor Advisory: https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Upgrade to version 1.3.3-beta. 3. Restart the application/service. 4. Verify the patch commit aefaabfd7527188bfba3c8c9eee17c316d094802 is applied.
🔧 Temporary Workarounds
API Endpoint Restriction
allTemporarily restrict or disable the vulnerable /api/admin/sys-message/ endpoint
# Configure web server (nginx example)
location /api/admin/sys-message/ {
deny all;
return 403;
}
WAF Rule Implementation
allAdd WAF rules to detect and block suspicious messageId parameter manipulation
# Example ModSecurity rule
SecRule ARGS:messageId "@rx \d+" \
"id:1001,phase:2,deny,status:403,msg:'Potential IDOR attack detected'"
🧯 If You Can't Patch
- Implement application-level authorization checks to verify message ownership before returning data
- Add rate limiting and monitoring on the affected endpoint to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Test if you can access another user's messages by modifying the messageId parameter in API requests to /api/admin/sys-message/Check Version:
Check application version or verify commit hash includes aefaabfd7527188bfba3c8c9eee17c316d094802Verify Fix Applied:
After patching, verify that message ownership checks are enforced and you cannot access messages belonging to other users📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts on /api/admin/sys-message/
- Unusual access patterns to message IDs outside normal user ranges
Network Indicators:
- HTTP requests to /api/admin/sys-message/ with manipulated messageId parameters
- Unusual spikes in API calls to message endpoints
SIEM Query:
source="web_logs" AND uri_path="/api/admin/sys-message/" AND (messageId>1000 OR messageId NOT IN user_normal_range)🔗 References
- https://github.com/feiyuchuixue/sz-boot-parent/
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-IDOR_Message_ID_Enumeration.md
- https://vuldb.com/?ctiid.347743
- https://vuldb.com/?id.347743
- https://vuldb.com/?submit.754036
