CVE-2026-1702
Unknown Unknown - Not Provided
Improper Authorization in SourceCodester User Management Allows Remote Access

Publication date: 2026-01-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1702
EUVD
EUVD-2026-5010
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mayurik pet_grooming_management_software 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1702 is an Improper Access Control vulnerability in SourceCodester Pet Grooming Management Software version 1.0. It occurs because the software relies only on client-side UI restrictions to prevent access to administrative functions but does not perform proper server-side authorization checks. An authenticated normal user can manipulate the 'group_id' parameter in a request to the admin-only endpoint '/admin/operation/user.php' to create an administrator account. This allows bypassing authorization controls and gaining administrative privileges. [1, 2, 3]

Impact Analysis

This vulnerability allows a normal authenticated user to escalate privileges to an administrator level, gaining full administrative access including user management, data control, and system settings. This can lead to complete system compromise, affecting confidentiality, integrity, and availability of the system. The exploit is easy to execute remotely and can result in unauthorized control over the affected software. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/admin/operation/user.php` that include the `group_id` parameter set to 1 (admin) along with administrator account details. You can look for suspicious multipart/form-data POST requests containing parameters like first name, last name, email, contact, password, and group_id=1. Additionally, using Google dorking with the query `inurl:admin/operation/user.php` can help identify vulnerable targets. Network monitoring tools or web application firewalls (WAF) can be configured to alert on such requests. Example commands to detect such activity could include using `tcpdump` or `tshark` to filter HTTP POST requests to the vulnerable endpoint, for example: `tshark -Y 'http.request.method == "POST" && http.request.uri contains "/admin/operation/user.php"'` or using `grep` on web server logs to find POST requests with `group_id=1`. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/admin/operation/user.php` to trusted administrators only, for example by IP whitelisting or network segmentation. Since the vulnerability arises from lack of server-side authorization checks, applying proper server-side validation of user roles before processing requests is critical. If a patch or update is not available, consider replacing the affected software with an alternative product. Monitoring and blocking suspicious requests that attempt to manipulate the `group_id` parameter can also help reduce risk. Additionally, invalidate and rotate session cookies to prevent reuse of captured authenticated sessions. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1702. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart