CVE-2026-5251
Received Received - Intake
Remote Object Attribute Manipulation in z-9527 Admin User Endpoint

Publication date: 2026-04-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5251
EUVD
EUVD-2026-17771
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5251 is a mass assignment vulnerability in the Z-9527 Admin software, specifically in the user update functionality at the /user/update endpoint.

The vulnerability occurs because the application directly uses user-supplied input parameters to update database fields without validating or restricting which fields can be modified.

This allows an authenticated user to manipulate sensitive fields such as 'isAdmin' by setting it to 1, thereby escalating their privileges to admin.

The attack can be launched remotely and the exploit is publicly available.

Impact Analysis

This vulnerability can allow an attacker with valid user credentials to escalate their privileges to an administrator level by modifying sensitive fields like 'isAdmin'.

As a result, the attacker can gain unauthorized administrative access, potentially leading to full control over the application, unauthorized data access, data modification, or further exploitation.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the `/user/update` POST endpoint for suspicious parameters, especially the presence of the `isAdmin` field being set to 1 by non-admin users.

You can detect exploitation attempts by capturing HTTP requests and inspecting the payload for unauthorized updates to privileged fields.

Suggested commands include using network traffic inspection tools like curl or tcpdump combined with grep to identify suspicious requests.

  • Using curl to test the endpoint for privilege escalation attempt: curl -X POST https://<target>/user/update -H "Cookie: session=<valid_session_token>" -d '{"isAdmin":1}'
  • Using tcpdump to capture HTTP POST requests to `/user/update`: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/user/update'
  • Using log analysis to search for updates containing `isAdmin` parameter in server logs or web application logs.
Mitigation Strategies

Immediate mitigation steps include implementing strict input validation and access control on the `/user/update` endpoint.

  • Implement a whitelist of allowed fields that can be updated by users, excluding privileged fields like `isAdmin`.
  • Separate privileged fields updates into admin-only routes with proper role-based access control.
  • Use an ORM or explicit field mapping to prevent arbitrary database column updates.
  • Validate all input parameters against allowed attributes before processing the update.

These steps will prevent unauthorized users from escalating privileges by manipulating the `isAdmin` field or other sensitive attributes.

Compliance Impact

The vulnerability allows an authenticated user to escalate privileges by modifying sensitive fields such as isAdmin without proper validation or access control.

Such unauthorized privilege escalation and improper access control can lead to unauthorized access to sensitive personal or protected health information, which may violate compliance requirements under standards like GDPR and HIPAA.

Specifically, failure to restrict updates to privileged fields and lack of input validation increase the risk of data breaches and unauthorized data manipulation, which are critical concerns in regulatory compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart