CVE-2026-31272
Access Control Bypass in MRCMS UserController Enables Privilege Escalation
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mrcms | mrcms | 3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to create super administrator accounts, leading to full website compromise and unauthorized access to sensitive data.
Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Can you explain this vulnerability to me?
CVE-2026-31272 is an access control vulnerability in MRCMS version 3.1.3 where the save() method in the UserController.java file does not properly validate authorization.
This flaw allows an attacker to bypass authentication and directly add super administrator accounts without any credentials.
An attacker can exploit this by intercepting and modifying HTTP POST requests to the user creation endpoint, removing authentication cookies, and specifying parameters to create a super administrator user.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to create super administrator accounts, leading to full website compromise.
Attackers gaining super administrator access can control the entire website, including modifying content, accessing sensitive data, and potentially deploying further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized creation of super administrator accounts without proper authentication.
One way to detect exploitation attempts is to intercept and analyze HTTP POST requests to the endpoint `/admin/user/save.do`.
Using tools like Burp Suite, you can capture and inspect requests that attempt to add users with parameters such as `gid=1` (super administrator group), `nickname`, `name`, `pass`, `description`, and `status=1`.
- Monitor HTTP POST requests to `/admin/user/save.do` for attempts to add users with `gid=1` without valid authentication cookies.
- Use a web proxy tool (e.g., Burp Suite) to intercept and analyze user creation requests.
- Check the user management interface for unexpected super administrator accounts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the user creation endpoint and applying proper authorization checks.
Since the vulnerability allows unauthenticated creation of super administrator accounts, it is critical to prevent unauthorized access to `/admin/user/save.do`.
- Restrict access to the user management interface and related endpoints to trusted IP addresses or VPN users.
- Implement or enforce authentication and authorization validation on the `save()` method in the UserController.
- Monitor logs for suspicious user creation activity and remove any unauthorized super administrator accounts immediately.
- Update or patch the MRCMS software to a version where this vulnerability is fixed, if available.