CVE-2026-3762
Received Received - Intake
Improper Authorization in SourceCodester Client DBMS Endpoint

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3762
EUVD
EUVD-2026-10265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lerouxyxchire client_database_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3762 is an improper authorization vulnerability in SourceCodester Client Database Management System versions 1.0 and 3.1. It exists in the endpoint /superadmin_delete_manager.php, where the manager_id parameter can be manipulated. This flaw allows unauthorized remote attackers to bypass authorization checks and perform actions without authentication.

Specifically, the endpoint does not verify the authentication state or user privileges before deleting sales manager accounts, enabling attackers to delete arbitrary managers by sending crafted POST requests.

Impact Analysis

This vulnerability can have critical impacts including unauthorized deletion of sales manager accounts, disruption of business workflows, and compromise of data integrity.

  • Attackers can delete arbitrary sales managers without authentication.
  • It can disrupt business logic and related records such as sales agents, reports, and assignments.
  • It allows privilege bypass and unauthorized data manipulation, affecting system integrity and availability.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of the vulnerable endpoint `/superadmin_delete_manager.php` on your system or network. Attackers may exploit it by sending unauthorized POST requests with a `manager_id` parameter.'}, {'type': 'paragraph', 'content': 'One way to test for this vulnerability is to send a crafted POST request to the endpoint to see if it allows deletion without authentication.'}, {'type': 'list_item', 'content': 'Use the following curl command to test if the endpoint is vulnerable (replace http://TARGET with your system URL):'}, {'type': 'list_item', 'content': 'curl -X POST http://TARGET/cdm/superadmin_delete_manager.php -d "manager_id=3"'}, {'type': 'paragraph', 'content': 'If the response indicates a successful deletion without requiring authentication, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, attackers may locate vulnerable targets using Google dorking with queries like `inurl:superadmin_delete_manager.php`.'}] [1, 2, 3]

Mitigation Strategies

Currently, no known countermeasures or mitigations have been identified for this vulnerability.

It is suggested to replace the affected product with an alternative that does not have this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart