CVE-2026-23754
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23754
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink d-view_8 to 2.0.1.107 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23754 is an improper access control vulnerability in D-Link D-View 8 versions 2.0.1.107 and below. It allows any authenticated user to manipulate the user_id parameter in backend API endpoints to access sensitive credential data of other users, including super administrators. These credentials can be reused to impersonate the targeted accounts, resulting in complete account takeover and full administrative control over the system. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the backend API endpoints to only trusted and necessary users, applying strict access control checks on the user_id parameter to ensure users can only access their own credentials, and monitoring for suspicious activity involving user_id manipulation. Additionally, updating or patching D-Link D-View 8 to a version later than 2.0.1.107 once available is recommended. Since no specific mitigation commands or patches are detailed in the resources, implementing network-level restrictions and vigilant monitoring are advised as immediate actions. [1]

Detection Guidance

Detection involves monitoring API requests to the backend endpoints of D-Link D-View 8 for unusual or unauthorized manipulation of the user_id parameter by authenticated users. Specifically, look for API calls where the user_id parameter is set to values other than the authenticated user's own ID, which may indicate attempts to access other users' credentials. Network traffic analysis tools or web application firewalls can be configured to log or alert on such behavior. However, no specific commands or detection scripts are provided in the available resources. [1]

Impact Analysis

This vulnerability can lead to complete account takeover by attackers who gain access to sensitive credentials of other users, including super administrators. As a result, attackers can fully impersonate these accounts and gain full administrative control over the D-View system, potentially compromising the confidentiality, integrity, and availability of the system. [1]

Compliance Impact

The vulnerability allows unauthorized access to sensitive credential data of other users, including super administrators, leading to complete account takeover and full administrative control. This exposure and misuse of sensitive authentication data can result in violations of data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, this vulnerability negatively impacts compliance with these common standards by compromising confidentiality and access controls. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart