CVE-2026-23754
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | d-view_8 | to 2.0.1.107 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23754 is an improper access control vulnerability in D-Link D-View 8 versions 2.0.1.107 and below. It allows any authenticated user to manipulate the user_id parameter in backend API endpoints to access sensitive credential data of other users, including super administrators. These credentials can be reused to impersonate the targeted accounts, resulting in complete account takeover and full administrative control over the system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring API requests to the backend endpoints of D-Link D-View 8 for unusual or unauthorized manipulation of the user_id parameter by authenticated users. Specifically, look for API calls where the user_id parameter is set to values other than the authenticated user's own ID, which may indicate attempts to access other users' credentials. Network traffic analysis tools or web application firewalls can be configured to log or alert on such behavior. However, no specific commands or detection scripts are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the backend API endpoints to only trusted and necessary users, applying strict access control checks on the user_id parameter to ensure users can only access their own credentials, and monitoring for suspicious activity involving user_id manipulation. Additionally, updating or patching D-Link D-View 8 to a version later than 2.0.1.107 once available is recommended. Since no specific mitigation commands or patches are detailed in the resources, implementing network-level restrictions and vigilant monitoring are advised as immediate actions. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive credential data of other users, including super administrators, leading to complete account takeover and full administrative control. This exposure and misuse of sensitive authentication data can result in violations of data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards by compromising confidentiality and access controls. [1]
How can this vulnerability impact me? :
This vulnerability can lead to complete account takeover by attackers who gain access to sensitive credentials of other users, including super administrators. As a result, attackers can fully impersonate these accounts and gain full administrative control over the D-View system, potentially compromising the confidentiality, integrity, and availability of the system. [1]