CVE-2026-1197
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1197
EUVD
EUVD-2026-3487
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mineadmin mineadmin 1.0
mineadmin mineadmin 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1197 is an arbitrary file download vulnerability in MineAdmin versions 1.x and 2.x. It exists in the endpoint `/system/downloadById?id=`, where the `id` parameter is an auto-incrementing file identifier. Because these IDs are predictable, an attacker can sequentially enumerate them to download all site attachments without authorization, leading to unauthorized access to potentially sensitive files stored on the server. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by allowing remote attackers to download files they should not have access to. This compromises confidentiality and may expose sensitive or private data stored on the server. Exploitation is remotely possible but considered difficult, and a public proof-of-concept exploit exists. [1, 2]

Compliance Impact

This vulnerability can negatively impact compliance with standards and regulations such as GDPR and HIPAA because it leads to unauthorized disclosure of sensitive information, violating confidentiality requirements mandated by these regulations. Organizations using the affected software may face compliance risks if sensitive data is exposed due to this flaw. [2]

Detection Guidance

This vulnerability can be detected by monitoring requests to the endpoint `/system/downloadById` with varying `id` parameters. Since the `id` is an auto-incrementing file identifier, an attacker may sequentially enumerate these IDs to download files. You can detect suspicious activity by checking web server logs for repeated or sequential access attempts to `/system/downloadById?id=`. For example, using command-line tools like grep to search logs: `grep "/system/downloadById?id=" /var/log/access.log` and then analyzing for sequential or repeated requests. Additionally, network monitoring tools can be used to detect unusual patterns of requests to this endpoint. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the `/system/downloadById` endpoint to authorized users only, for example by implementing authentication and authorization controls if not already in place. Since no vendor patch or fix is available and the vendor did not respond, consider replacing the affected MineAdmin versions 1.x and 2.x with a secure alternative. Monitoring and blocking suspicious requests to this endpoint can also help reduce exploitation risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart