Executive Summary

CVE-2026-2174 is a critical security flaw in version 1.0 of the code-projects Contact Management System, specifically in its CRUD (Create, Read, Update, Delete) Endpoint component. The vulnerability arises because the system does not properly authenticate users before allowing operations on contact data.

This means that anyone, even without logging in or providing credentials, can remotely perform actions such as viewing, creating, updating, or deleting contact records. For example, the delete operation can be triggered simply by visiting a URL with a specific contact ID, without any authentication or protection against cross-site request forgery (CSRF).

• Unauthenticated users can view the full contact list.
• Unauthenticated users can create new contacts.
• Unauthenticated users can modify existing contacts.
• Unauthenticated users can delete contacts without any authorization checks.

The root cause is improper authentication and authorization controls, allowing attackers to bypass identity verification and manipulate contact data remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts on the confidentiality, integrity, and availability of your contact management system.

• Unauthorized access to sensitive contact data, leading to data exposure.
• Data integrity compromise through unauthorized creation, modification, or deletion of contact records.
• Potential data loss and disruption of business operations due to malicious or accidental deletions.
• Attackers might combine this vulnerability with other attacks like Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) to steal sessions or install persistent backdoors.

Overall, the vulnerability allows remote attackers to fully control contact data without any authentication, posing a high risk to system security and business continuity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the unauthenticated access to the CRUD endpoints of the code-projects Contact Management System 1.0, specifically targeting the create.php, update.php, and delete.php scripts.'}, {'type': 'list_item', 'content': 'Attempt to access the contacts listing by visiting the URL: index.php without authentication.'}, {'type': 'list_item', 'content': 'Send an unauthenticated POST request to create.php to create a new contact, for example using curl: curl -X POST -d "name=Test&[email protected]" http://<target>/create.php'}, {'type': 'list_item', 'content': 'Send an unauthenticated GET request to delete.php with an id parameter to attempt deletion, e.g.: curl http://<target>/delete.php?id=1'}, {'type': 'list_item', 'content': 'Send an unauthenticated POST request to update.php with contact ID and updated fields, e.g.: curl -X POST -d "id=1&name=UpdatedName" http://<target>/update.php'}, {'type': 'paragraph', 'content': 'If these requests succeed without requiring authentication, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable CRUD endpoints by implementing proper authentication and authorization controls.

Since no known countermeasures or mitigations have been identified for this vulnerability, it is recommended to replace the affected component or product with an alternative that enforces authentication.

Additionally, consider restricting network access to the application to trusted users only, applying web application firewalls (WAF) to block unauthorized requests, and monitoring for suspicious activity targeting these endpoints.

Useful 0 Not Useful 0