CVE-2026-3737
Improper Authorization in SourceCodester Pet Grooming add_user.php
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mayurik | pet_grooming_management_software | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3737 is an improper authorization vulnerability in SourceCodester Pet Grooming Management Software version 1.0, specifically in the add_user.php endpoint. The software fails to enforce proper server-side role validation, allowing a low-privileged authenticated user to access the user creation page and create new standard user accounts without having administrative privileges.
Although the vulnerability does not allow creation of administrator accounts, it permits unauthorized creation of standard user accounts, which can lead to privilege escalation or unauthorized access within the system.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to create new standard user accounts without proper authorization. This compromises the integrity of the user management system and violates the principle of least privilege.
- Potential privilege escalation or unauthorized access within the system.
- Account spamming or misuse by unauthorized users.
- Compromise of confidentiality, integrity, and availability of the system.
The vulnerability can be exploited remotely without requiring local access, and publicly available exploits exist, increasing the risk of attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if low-privileged authenticated users can access the add_user.php endpoint and create new standard user accounts without administrative privileges.'}, {'type': 'paragraph', 'content': 'One detection method involves monitoring web server logs or using web application scanners to identify requests to the add_user.php page from non-administrative users.'}, {'type': 'paragraph', 'content': 'Additionally, attackers may use Google dorking with queries like "inurl:add_user.php" to find vulnerable targets.'}, {'type': 'list_item', 'content': 'Check web server access logs for requests to /add_user.php by users without admin privileges.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test access: curl -i -b "session_cookie=normal_user_session" https://targetsite.com/add_user.php'}, {'type': 'list_item', 'content': 'Attempt to create a new user via the add_user.php endpoint using a low-privileged account to verify if unauthorized user creation is possible.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Currently, no effective countermeasures or mitigations are known for this vulnerability.
The recommended immediate step is to replace the affected SourceCodester Pet Grooming Management Software version 1.0 with an alternative product that does not have this vulnerability.
As a temporary measure, restrict access to the add_user.php endpoint to only trusted administrative users via network controls or web server configuration.
Monitor for suspicious activity related to user creation and review user accounts regularly to detect unauthorized accounts.