CVE-2026-2667
Received Received - Intake
Improper Access Control in Rongzhitong Dispatch API Enables Remote Exploit

Publication date: 2026-02-18

Last updated on: 2026-02-26

Assigner: VulDB

Description
A vulnerability has been found in Rongzhitong Visual Integrated Command and Dispatch Platform up to 20260206. The impacted element is an unknown function of the file /dispatch/api?cmd=userinfo. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2667
EUVD
EUVD-2026-7636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rongzhitong visual_integrated_command_and_dispatch_platform to 2026-02-06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2667 is an access control vulnerability in the Rongzhitong Visual Integrated Command and Dispatch Platform, specifically in the API endpoint /dispatch/api?cmd=userinfo.

Due to improper or missing access restrictions, unauthorized remote attackers can access this API without any authentication.

This flaw allows attackers to retrieve sensitive information such as organization names and contact numbers.

The vulnerability is classified under CWE-284 (Improper Access Control) and has a moderate severity with a CVSSv3 base score of 5.3.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information without requiring any authentication.

Attackers can remotely exploit the flaw to retrieve confidential data such as organization names and contact numbers.

Because the exploit is publicly available, the risk of exploitation is increased.

The impact primarily affects the confidentiality of the system, potentially leading to data leakage.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint /dispatch/api?cmd=userinfo without authentication and observing if sensitive user information is returned.

A simple detection method is to send an HTTP GET request to the endpoint and check the response for unauthorized access to user information.

  • Use curl to test the endpoint: curl -v http://<target-ip-or-domain>/dispatch/api?cmd=userinfo
  • Monitor network traffic for unauthorized access attempts to /dispatch/api?cmd=userinfo.
Mitigation Strategies

Immediate mitigation involves restricting access to the vulnerable API endpoint to prevent unauthorized remote exploitation.

  • Apply restrictive firewall rules to block or limit access to /dispatch/api?cmd=userinfo from untrusted networks.
  • Implement proper authentication and access control mechanisms on the API endpoint to ensure only authorized users can access sensitive information.
  • Monitor logs and network traffic for suspicious access attempts to the vulnerable endpoint.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart