CVE-2026-2015
Improper Authorization in Portabilis i-Educar FinalStatusImportService
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| portabilis | i-educar | to 2.10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2015 is a Broken Function Level Authorization (BFLA) vulnerability in Portabilis i-Educar versions 2.0 through 2.10, specifically in the FinalStatusImportService.php file of the Final Status Import component.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper authorization checks on the argument "school_id," allowing an authenticated user with only \'School\' level permissions to bypass institution-level access controls.'}, {'type': 'paragraph', 'content': 'By manipulating the school_id parameter, an attacker can submit a CSV file containing enrollment IDs from any school unit, enabling unauthorized modification of student records across multiple school units.'}, {'type': 'paragraph', 'content': 'This flaw leads to privilege escalation beyond intended boundaries within the educational management system and compromises data integrity.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely, and a public proof-of-concept exploit is available.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited permissions to escalate their privileges and modify student records across multiple school units without proper authorization.
Such unauthorized access can lead to mass alteration or sabotage of academic data, compromising the integrity and reliability of the educational records.
Because the exploit can be executed remotely, attackers do not need physical access to the system, increasing the risk of widespread impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by searching for the presence of the vulnerable component FinalStatusImportService.php in Portabilis i-Educar versions up to 2.10.'}, {'type': 'paragraph', 'content': 'Attackers can locate vulnerable targets using Google Dorking by searching for URLs containing "FinalStatusImportService.php".'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided, but network or web server logs can be inspected for requests manipulating the argument "school_id" in FinalStatusImportService.php.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been identified for this vulnerability.
It is suggested to replace the affected component or product with an alternative solution.
Since the vendor did not respond to early disclosure attempts, immediate mitigation options are limited.