CVE-2026-0574
Unknown Unknown - Not Provided
Improper Authorization in Yeqifu Warehouse Request Handler

Publication date: 2026-01-04

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-04
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0574
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeqifu warehouse to 2025-10-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an improper authorization flaw in the yeqifu warehouse software, specifically in the saveUserRole function of UserController.java. It allows a regular user to bypass authorization checks and assign themselves privileged roles, including administrator roles, by sending crafted requests remotely. This leads to vertical privilege escalation, granting unauthorized administrative control over the system. [2, 3]

Impact Analysis

Exploitation of this vulnerability can allow an attacker to gain full administrative control over the affected system. This compromises the confidentiality, integrity, and availability of the system by enabling unauthorized role assignments and potentially malicious actions performed with elevated privileges. [2, 3]

Detection Guidance

Detection can involve monitoring for unauthorized role assignment requests to the affected saveUserRole function in UserController.java. Since the exploit is public and involves crafting malicious requests to assign privileged roles, network traffic analysis tools can be used to detect unusual POST or PUT requests to the role assignment endpoint. Specific commands are not provided in the resources, but inspecting HTTP request logs for unexpected role changes or using intrusion detection systems to flag privilege escalation attempts is recommended. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected component, monitoring and auditing user role changes closely, and considering replacing the affected yeqifu warehouse component with an alternative product, as no known countermeasures or patches are currently available. Applying strict network controls to limit access to the vulnerable endpoint and increasing logging for suspicious activity are also advisable. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart