CVE-2026-42515
Improper Access Control in e-Sushrut API Enables Data Exposure
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: Indian Computer Emergency Response Team (CERT-In)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system due to improper access control in resource access validation.
An authenticated attacker can exploit this by manipulating a parameter in the API request URL to gain unauthorized access to sensitive patient information on the targeted system.
How can this vulnerability impact me? :
The vulnerability allows an attacker with valid authentication to bypass access controls and access sensitive patient information without authorization.
This can lead to exposure of confidential patient data, potentially resulting in privacy breaches and misuse of personal health information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to gain unauthorized access to sensitive patient information by exploiting improper access control in the e-Sushrut system.
Such unauthorized access to sensitive patient data can lead to violations of data protection regulations and standards such as GDPR and HIPAA, which mandate strict controls on access to personal and health information.
Therefore, this vulnerability negatively impacts compliance with these common standards by exposing protected health information to unauthorized parties.
Can you explain this vulnerability to me?
This vulnerability exists in the e-Sushrut system due to improper access control in resource access validation.
An authenticated attacker can exploit this vulnerability by manipulating a parameter in the API request URL.
This manipulation allows the attacker to gain unauthorized access to sensitive patient information on the targeted system.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive patient information.
This unauthorized access can compromise patient privacy and potentially lead to misuse of confidential data.
Such a breach can damage trust in the affected healthcare system and may result in legal and financial consequences.