CVE-2026-5330
Received Received - Intake
Improper Access Control in Mayuri_k Courier User Deletion

Publication date: 2026-04-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access controls. The attack may be initiated remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5330
EUVD
EUVD-2026-18215
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sourcecodester mayuri_k_best_courier_management_system 1.0
gaatitrack courier_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to delete any registered user, including administrators, from the system. Such unauthorized deletion of user data can lead to denial of service and loss of administrative control.

Improper access control and unauthorized deletion of user records can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal data and the integrity and availability of such data.

Specifically, the vulnerability could lead to violations of principles like data integrity, availability, and access control mandated by these standards, potentially exposing organizations to legal and regulatory consequences.

Executive Summary

This vulnerability exists in the Gaatitrack Courier Management System version 1.0, specifically in the ajax.php file's delete_user action. The issue is due to missing authorization checks, allowing unauthenticated attackers to send a simple HTTP POST request to delete any user by specifying their user ID. There is no session validation or access control, so attackers can delete any registered user, including administrators, without logging in.

The deletion is permanent and affects the database directly, which can cause denial of service for legitimate users and loss of administrative control.

Impact Analysis

This vulnerability can have serious impacts including unauthorized deletion of any user account, even administrator accounts. This can lead to denial of service for legitimate users who lose their accounts and can also result in loss of administrative control over the system.

Because the deletion is permanent, it can cause irreversible data loss and disrupt normal operations of the courier management system.

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated HTTP POST requests sent to the endpoint /ajax.php?action=delete_user with a user ID parameter. An example detection method is to look for POST requests that attempt to delete users without proper authentication.

A simple test command to detect the vulnerability is to send an unauthenticated POST request to the endpoint with a valid user ID and observe if the server responds with a success indicator.

  • curl -X POST "http://<target-host>/ajax.php?action=delete_user" -d "id=8"

If the response indicates success (e.g., returns '1') and the user record is deleted without authentication, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include implementing mandatory global authentication checks at the entry point of ajax.php to restrict access to logged-in users only.

Additionally, enforce Role-Based Access Control (RBAC) to ensure that only users with administrative privileges can perform sensitive actions such as deleting users.

Consider using soft deletion techniques by marking records with an is_deleted flag instead of physically deleting them, to prevent irreversible data loss from malicious or accidental deletions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart