CVE-2026-2078
Unknown Unknown - Not Provided
Improper Authorization in Yeqifu Permission Management Component

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-02-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2078
EUVD
EUVD-2026-5745
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeqifu warehouse to 2025-10-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can have serious impacts because unauthorized users can manipulate the permission system remotely. By adding, modifying, or deleting permissions, attackers can escalate their privileges stealthily.

Such unauthorized changes can compromise the confidentiality, integrity, and availability of the system, potentially allowing attackers to gain access to sensitive data, disrupt services, or take control of the application.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

CVE-2026-2078 is an improper authorization vulnerability in the yeqifu warehouse application, specifically in the Permission Management component within the PermissionController.java file. The functions addPermission, updatePermission, and deletePermission do not perform proper authorization checks, allowing any authenticated user, regardless of their privilege level, to create, modify, or delete permissions.

This means that a low-privileged user can manipulate the permission system by adding new permissions, updating existing ones, or deleting permissions without proper rights. This flaw enables attackers to corrupt the authorization system and perform stealthy privilege escalation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring unauthorized or suspicious requests to the permission management endpoints of the yeqifu warehouse application, specifically the addPermission, updatePermission, and deletePermission endpoints.'}, {'type': 'paragraph', 'content': 'Since the flaw allows any authenticated user to manipulate permissions without proper authorization, detection can involve checking for POST requests to these endpoints from users who should not have such privileges.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include using network traffic inspection tools like curl or monitoring logs for POST requests to the following URLs:'}, {'type': 'list_item', 'content': 'POST /permission/addPermission'}, {'type': 'list_item', 'content': 'POST /permission/updatePermission'}, {'type': 'list_item', 'content': 'POST /permission/deletePermission'}, {'type': 'paragraph', 'content': 'Example curl command to test if unauthorized permission deletion is possible (replace URL and permission ID accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST https://yourserver/permission/deletePermission -d \'{"id": "<permission_id>"}\' -H \'Content-Type: application/json\' -b \'auth_cookie_or_token\''}, {'type': 'paragraph', 'content': 'Monitoring logs for such requests from low-privileged users or unexpected sources can help detect exploitation attempts.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the affected permission management endpoints (addPermission, updatePermission, deletePermission) to only highly privileged and authorized users.

Since the vulnerability arises from missing authorization checks, implementing proper authorization validation before allowing any permission modifications is critical.

If patching is not immediately possible, consider the following steps:

  • Restrict network access to the permission management endpoints using firewall rules or API gateway policies.
  • Monitor and audit all requests to these endpoints for suspicious activity.
  • Temporarily disable or remove the affected endpoints if feasible.

Additionally, consider replacing the affected component with an alternative product if no timely fix is available, as the project has not yet responded to the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart