CVE-2026-2077
Unknown Unknown - Not Provided
Improper Authorization in Yeqifu RoleController Enables Remote Exploit

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2077
EUVD
EUVD-2026-5746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeqifu warehouse to 2025-10-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2077 is a security vulnerability in the yeqifu warehouse application affecting the Role Management Handler component, specifically the addRole, updateRole, and deleteRole functions in RoleController.java.

The vulnerability arises because these role management endpoints lack proper authorization checks, allowing any authenticated user to create, update, or delete roles without permission verification.

This improper authorization flaw enables attackers with low privileges to escalate their privileges by creating new privileged roles, modifying existing roles, or deleting critical roles such as the admin role.

The attack can be launched remotely, and a proof-of-concept exploit has been publicly disclosed demonstrating how a low-privileged user can delete high-privilege roles.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to broad privilege escalation within the affected system, allowing attackers to gain unauthorized administrative access.'}, {'type': 'paragraph', 'content': "Attackers can disrupt normal operations by deleting critical roles, creating unauthorized privileged roles, or modifying existing roles, which compromises the system's confidentiality, integrity, and availability."}, {'type': 'paragraph', 'content': 'Because the exploit can be performed remotely by any authenticated user, the risk of operational disruption and unauthorized access is significant.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and testing the Role Management endpoints (addRole, updateRole, deleteRole) in the yeqifu warehouse application for improper authorization.'}, {'type': 'paragraph', 'content': 'Specifically, you can attempt to send POST requests to these endpoints as a low-privileged authenticated user to check if unauthorized role creation, modification, or deletion is possible.'}, {'type': 'paragraph', 'content': 'For example, to test deletion of a high-privilege role, you can use a command like:'}, {'type': 'list_item', 'content': "curl -X POST -d 'id=8' http://[target]/role/deleteRole -b cookies.txt"}, {'type': 'paragraph', 'content': "Here, 'id=8' represents the admin role ID, and 'cookies.txt' contains authentication cookies for a low-privileged user. If the request succeeds in deleting the admin role, the vulnerability is present."}, {'type': 'paragraph', 'content': 'Similarly, you can test addRole and updateRole endpoints by sending POST requests with role data payloads without proper authorization checks.'}] [1, 3]

Mitigation Strategies

Currently, no official patches or countermeasures have been provided by the yeqifu warehouse project.

Immediate mitigation steps include:

  • Restrict access to the Role Management endpoints (addRole, updateRole, deleteRole) to only trusted and highly privileged users via network controls or application firewall rules.
  • Implement additional authorization checks at the application or proxy level to prevent unauthorized role manipulation.
  • Monitor logs and alerts for suspicious activity related to role management operations.
  • Consider replacing or disabling the affected Role Management Handler component if feasible.

Long term, await official patches or updates from the project or consider alternative products that do not have this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart