CVE-2026-4013
Received Received - Intake
Improper Authorization in SourceCodester add_admin.php Allows Remote Access

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: VulDB

Description
A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown function of the file add_admin.php. Such manipulation leads to improper authorization. The attack may be launched remotely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4013
EUVD
EUVD-2026-11546
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester web_based_pharmacy_product_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4013 is an improper authorization vulnerability in the SourceCodester Web-based Pharmacy Product Management System version 1.0, specifically in the add_admin.php file.

The vulnerability occurs because the system lacks proper server-side authorization checks on this endpoint, allowing any authenticated user, including those without administrative privileges, to access the add_admin.php page.

This flaw enables unauthorized users to create new admin accounts, effectively escalating their privileges to full administrative control.

The attack can be launched remotely without requiring local access or physical presence.

Impact Analysis

This vulnerability allows low-privileged users to escalate their privileges to administrators by creating new admin accounts through the vulnerable add_admin.php endpoint.

As a result, attackers can gain full administrative control over the application, compromising its confidentiality, integrity, and availability.

Such a compromise can lead to unauthorized access to sensitive data, manipulation or deletion of data, and disruption of services.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized access to the add_admin.php endpoint, which lacks proper server-side authorization checks.'}, {'type': 'paragraph', 'content': 'One method to identify potentially vulnerable targets is to search for the URL pattern "inurl:add_admin.php" using Google hacking techniques.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or unauthorized access on your system, you can monitor web server logs for requests to add_admin.php from non-administrative users.'}, {'type': 'list_item', 'content': "Use web server log analysis commands such as: grep 'add_admin.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Check for unusual POST requests to add_admin.php from users without admin privileges.'}, {'type': 'list_item', 'content': 'Attempt to access the add_admin.php page with a non-admin user account to verify if access is improperly granted.'}] [1, 2]

Mitigation Strategies

Currently, no known countermeasures or mitigations have been identified for this vulnerability.

It is suggested to replace the affected component or product with an alternative that properly enforces server-side authorization checks.

As an immediate step, restrict access to the add_admin.php endpoint to trusted administrators only, for example by using web server access controls or network-level restrictions.

Implement proper server-side role-based access control (RBAC) to ensure that only authorized users can access sensitive endpoints like add_admin.php.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart