CVE-2026-2106
Unknown Unknown - Not Provided
Improper Authorization in Yeqifu Notice Management Allows Remote Access

Publication date: 2026-02-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2106
EUVD
EUVD-2026-5721
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeqifu warehouse to 2025-10-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2106 is a vulnerability in the yeqifu warehouse project affecting the Notice Management component. Specifically, the functions addNotice, updateNotice, deleteNotice, and batchDeleteNotice in the NoticeController.java file lack proper authorization checks. This means that any authenticated user, regardless of their privilege level, can create, modify, or delete system notices without restriction.

Because these endpoints do not verify user permissions, unauthorized users can exploit this flaw to publish false information, remove important announcements, or disrupt internal communications within the system.

Impact Analysis

This vulnerability allows unauthorized users to manipulate system notices, which can have several negative impacts:

  • Spreading misinformation by publishing false or misleading notices.
  • Concealing or deleting critical announcements that users rely on.
  • Disrupting internal communications and trust within the organization.

Since the exploit can be performed remotely and requires only authenticated access, it poses a significant risk to the confidentiality, integrity, and availability of the notice management system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves improper authorization on the notice management endpoints of the yeqifu warehouse system, specifically the addNotice, updateNotice, deleteNotice, and batchDeleteNotice functions. Detection can focus on monitoring or testing access to these endpoints.'}, {'type': 'paragraph', 'content': 'One way to detect the vulnerability is to attempt to perform notice management actions (such as deleting a notice) using a low-privileged or unauthorized user account and observe if the action succeeds without proper authorization.'}, {'type': 'paragraph', 'content': 'Suggested commands include sending HTTP POST requests to the affected endpoints to test authorization enforcement. For example, using curl to test the deleteNotice endpoint:'}, {'type': 'list_item', 'content': "curl -X POST -d 'id=<notice_id>' http://<target>/notice/deleteNotice -b cookies.txt"}, {'type': 'paragraph', 'content': "Here, 'cookies.txt' contains the session cookies of a low-privileged user. If the request succeeds in deleting a notice, it indicates the vulnerability is present."}, {'type': 'paragraph', 'content': 'Similarly, other endpoints like addNotice, updateNotice, and batchDeleteNotice can be tested by crafting appropriate POST requests with relevant data.'}] [2]

Mitigation Strategies

Currently, there are no known patches or official mitigations available for this vulnerability as the project maintainers have not responded or provided fixes.

Immediate mitigation steps include restricting access to the affected notice management endpoints to trusted and authorized users only, for example by implementing network-level access controls such as firewall rules or VPN requirements.

Another approach is to disable or remove the affected endpoints temporarily if possible, to prevent unauthorized use.

Consider replacing the affected component or system with an alternative product that properly enforces authorization controls.

Monitoring logs for unauthorized access attempts and suspicious activity on the notice management endpoints is also recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart