CVE-2026-2549
Received Received - Intake
Improper Access Control in LibrarySystem BookController Allows Remote Exploit

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in zhanghuanhao LibrarySystem 图书馆管理系统 up to 1.1.1. This impacts an unknown function of the file BookController.java. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2549
EUVD
EUVD-2026-6103
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zhanghuanhao librarysystem to 1.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2549 is an improper access control vulnerability in the zhanghuanhao LibrarySystem 图书馆管理系统 up to version 1.1.1. It affects the BookController.java file where insufficient or missing access restrictions allow unauthorized users to access administrative functions without authentication.'}, {'type': 'paragraph', 'content': "Specifically, attackers can directly access the administrator backend by navigating to the URL /admin_books.html without logging in. This lack of global permission interceptors and access control enforcement on administrative routes enables unauthorized users to perform Create, Read, Update, and Delete (CRUD) operations on the system's data."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows attackers to remotely access the administrative backend of the LibrarySystem without any authentication, leading to unauthorized control over the system.'}, {'type': 'list_item', 'content': "Attackers can perform CRUD operations on the system's data, such as adding, modifying, or deleting book information."}, {'type': 'list_item', 'content': "The confidentiality, integrity, and availability of the system's data are compromised due to improper access controls."}, {'type': 'paragraph', 'content': 'Because the exploit is publicly available and requires no authentication, the risk of exploitation is high, potentially leading to data manipulation or disruption of library management operations.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the administrative backend URL without authentication. Specifically, an unauthorized user can try to access the URL /admin_books.html directly.

If the system allows access to this URL without requiring login credentials, it indicates the presence of the vulnerability due to improper access control.

  • Use a web browser or command-line tool like curl to test access: curl -i http://<target-ip-or-domain>/admin_books.html
  • If the response returns the administrative interface or HTTP 200 OK without authentication prompts, the system is vulnerable.
  • Monitor network traffic for unauthorized access attempts to /admin_books.html or similar administrative endpoints.
Mitigation Strategies

Currently, no patches or official fixes are available for this vulnerability.

Immediate mitigation steps include restricting access to the administrative backend by implementing proper access control mechanisms such as authentication and authorization checks.

As a temporary measure, restrict network access to the /admin_books.html endpoint using firewall rules or web server configuration to allow only trusted IP addresses.

Consider replacing the affected software with an alternative product that does not have this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart