CVE-2026-2105
Unknown Unknown - Not Provided
Improper Authorization in Yeqifu Department Management (Remote Exploit

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\DeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2105
EUVD
EUVD-2026-5722
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeqifu warehouse to 2025-10-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2105 is an improper authorization vulnerability in the yeqifu warehouse project, specifically in the Department Management component. The flaw exists in the addDept, updateDept, and deleteDept functions of the DeptController.java file. These functions lack proper authorization checks, allowing any authenticated user to remotely create, update, or delete department records without the necessary permissions.

This means that unauthorized users can manipulate the organizational structure, including user groupings and reporting lines, by exploiting this vulnerability.

Impact Analysis

The vulnerability allows unauthorized users to modify department data remotely, which can lead to improper access control configurations. This manipulation can affect confidentiality, integrity, and availability of organizational data.

  • Unauthorized creation, update, or deletion of department records.
  • Alteration of user groupings and reporting lines.
  • Potential disruption of access controls that depend on department configurations.

Such impacts can compromise the security and proper functioning of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the Department Management endpoints without proper authorization and observing if unauthorized modifications are possible.'}, {'type': 'paragraph', 'content': 'Specifically, sending POST requests to the endpoints addDept, updateDept, or deleteDept in the DeptController.java component can reveal the flaw.'}, {'type': 'paragraph', 'content': 'For example, a low-privileged user can send a POST request to /dept/deleteDept with a department ID parameter to test if deletion is allowed without proper rights.'}, {'type': 'list_item', 'content': 'curl -X POST https://[target]/dept/deleteDept -d "id=[department_id]"'}, {'type': 'list_item', 'content': 'curl -X POST https://[target]/dept/addDept -d "[department_data]"'}, {'type': 'list_item', 'content': 'curl -X POST https://[target]/dept/updateDept -d "id=[department_id]&[updated_data]"'}, {'type': 'paragraph', 'content': 'If these commands succeed without proper authorization checks, it indicates the presence of the vulnerability.'}] [3]

Mitigation Strategies

Currently, there are no known patches or countermeasures provided by the project maintainers.

Immediate mitigation steps include restricting access to the Department Management endpoints to trusted users only, for example by network segmentation or firewall rules.

Consider disabling or removing the affected Department Management functionality if possible until a fix is available.

Alternatively, replace the affected component or product with a secure version or different solution that enforces proper authorization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart