CVE-2026-4013
Improper Authorization in SourceCodester add_admin.php Allows Remote Access
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | web_based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4013 is an improper authorization vulnerability in the SourceCodester Web-based Pharmacy Product Management System version 1.0, specifically in the add_admin.php file.
The vulnerability occurs because the system lacks proper server-side authorization checks on this endpoint, allowing any authenticated user, including those without administrative privileges, to access the add_admin.php page.
This flaw enables unauthorized users to create new admin accounts, effectively escalating their privileges to full administrative control.
The attack can be launched remotely without requiring local access or physical presence.
How can this vulnerability impact me? :
This vulnerability allows low-privileged users to escalate their privileges to administrators by creating new admin accounts through the vulnerable add_admin.php endpoint.
As a result, attackers can gain full administrative control over the application, compromising its confidentiality, integrity, and availability.
Such a compromise can lead to unauthorized access to sensitive data, manipulation or deletion of data, and disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized access to the add_admin.php endpoint, which lacks proper server-side authorization checks.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is to search for the URL pattern "inurl:add_admin.php" using Google hacking techniques.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or unauthorized access on your system, you can monitor web server logs for requests to add_admin.php from non-administrative users.'}, {'type': 'list_item', 'content': "Use web server log analysis commands such as: grep 'add_admin.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Check for unusual POST requests to add_admin.php from users without admin privileges.'}, {'type': 'list_item', 'content': 'Attempt to access the add_admin.php page with a non-admin user account to verify if access is improperly granted.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no known countermeasures or mitigations have been identified for this vulnerability.
It is suggested to replace the affected component or product with an alternative that properly enforces server-side authorization checks.
As an immediate step, restrict access to the add_admin.php endpoint to trusted administrators only, for example by using web server access controls or network-level restrictions.
Implement proper server-side role-based access control (RBAC) to ensure that only authorized users can access sensitive endpoints like add_admin.php.