CVE-2026-3185
Awaiting Analysis Awaiting Analysis - Queue
Authorization Bypass in feiyuchuixue sz-boot-parent API Endpoint

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: VulDB

Description
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3185
EUVD
EUVD-2026-8657
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
szadmin sz-boot-parent to 0.9.0 (inc)
szadmin sz-boot-parent 1.0.0
szadmin sz-boot-parent 1.0.1
szadmin sz-boot-parent 1.0.2
szadmin sz-boot-parent 1.1.0
szadmin sz-boot-parent 1.2.0
szadmin sz-boot-parent 1.2.1
szadmin sz-boot-parent 1.2.2
szadmin sz-boot-parent 1.2.3
szadmin sz-boot-parent 1.2.4
szadmin sz-boot-parent 1.2.5
szadmin sz-boot-parent 1.2.6
szadmin sz-boot-parent 1.3.0
szadmin sz-boot-parent 1.3.1
szadmin sz-boot-parent 1.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3185 is an authorization bypass vulnerability found in the feiyuchuixue sz-boot-parent project up to version 1.3.2-beta. It affects the API endpoint /api/admin/sys-message/ and specifically involves manipulation of the messageId parameter.

Due to improper access control, an attacker can manipulate the messageId argument to bypass authorization checks and access messages that belong to other users. This can be done remotely without authentication.

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) flaw, where the system fails to verify message ownership, allowing unauthorized users to view sensitive information.

The issue has been fixed in version 1.3.3-beta by implementing message ownership verification, ensuring users can only query messages related to themselves.

Impact Analysis

This vulnerability allows attackers to remotely access and retrieve private and sensitive messages belonging to other users without authorization.

As a result, confidential information can be disclosed to unauthorized parties, leading to a breach of privacy and potential misuse of sensitive data.

The exploit is publicly available and easy to execute, increasing the risk of exploitation.

The vulnerability does not affect system availability or data integrity but compromises confidentiality.

To mitigate this risk, upgrading to version 1.3.3-beta of sz-boot-parent is recommended.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves unauthorized access to the API endpoint /api/admin/sys-message/ by manipulating the messageId parameter to bypass authorization.

Detection can involve monitoring network traffic or logs for unusual or unauthorized access attempts to this endpoint, especially requests that enumerate or iterate through sequential messageId values.

Commands to detect this might include using tools like curl or wget to test access to different messageId values, or using network monitoring tools to identify suspicious API calls.

  • Example curl command to test access to a specific messageId: curl -v http://<target>/api/admin/sys-message/123
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic to the /api/admin/sys-message/ endpoint for unauthorized enumeration attempts.
  • Check application logs for repeated or sequential access to messageId parameters without proper authentication.
Mitigation Strategies

The primary mitigation step is to upgrade the affected sz-boot-parent component to version 1.3.3-beta or later, which includes a patch that implements message ownership verification.

This patch ensures that users can only query messages related to themselves, effectively preventing unauthorized access.

Until the upgrade can be applied, restrict access to the vulnerable API endpoint /api/admin/sys-message/ to trusted users or networks, and monitor for suspicious activity.

Apply the patch identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802 if upgrading immediately is not feasible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart