CVE-2026-2549
Improper Access Control in LibrarySystem BookController Allows Remote Exploit
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zhanghuanhao | librarysystem | to 1.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2549 is an improper access control vulnerability in the zhanghuanhao LibrarySystem 图书馆管理系统 up to version 1.1.1. It affects the BookController.java file where insufficient or missing access restrictions allow unauthorized users to access administrative functions without authentication.'}, {'type': 'paragraph', 'content': "Specifically, attackers can directly access the administrator backend by navigating to the URL /admin_books.html without logging in. This lack of global permission interceptors and access control enforcement on administrative routes enables unauthorized users to perform Create, Read, Update, and Delete (CRUD) operations on the system's data."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to remotely access the administrative backend of the LibrarySystem without any authentication, leading to unauthorized control over the system.'}, {'type': 'list_item', 'content': "Attackers can perform CRUD operations on the system's data, such as adding, modifying, or deleting book information."}, {'type': 'list_item', 'content': "The confidentiality, integrity, and availability of the system's data are compromised due to improper access controls."}, {'type': 'paragraph', 'content': 'Because the exploit is publicly available and requires no authentication, the risk of exploitation is high, potentially leading to data manipulation or disruption of library management operations.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the administrative backend URL without authentication. Specifically, an unauthorized user can try to access the URL /admin_books.html directly.
If the system allows access to this URL without requiring login credentials, it indicates the presence of the vulnerability due to improper access control.
- Use a web browser or command-line tool like curl to test access: curl -i http://<target-ip-or-domain>/admin_books.html
- If the response returns the administrative interface or HTTP 200 OK without authentication prompts, the system is vulnerable.
- Monitor network traffic for unauthorized access attempts to /admin_books.html or similar administrative endpoints.
What immediate steps should I take to mitigate this vulnerability?
Currently, no patches or official fixes are available for this vulnerability.
Immediate mitigation steps include restricting access to the administrative backend by implementing proper access control mechanisms such as authentication and authorization checks.
As a temporary measure, restrict network access to the /admin_books.html endpoint using firewall rules or web server configuration to allow only trusted IP addresses.
Consider replacing the affected software with an alternative product that does not have this vulnerability.