CVE-2026-5330
Improper Access Control in Mayuri_k Courier User Deletion
Publication date: 2026-04-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | mayuri_k_best_courier_management_system | 1.0 |
| gaatitrack | courier_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to delete any registered user, including administrators, from the system. Such unauthorized deletion of user data can lead to denial of service and loss of administrative control.
Improper access control and unauthorized deletion of user records can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal data and the integrity and availability of such data.
Specifically, the vulnerability could lead to violations of principles like data integrity, availability, and access control mandated by these standards, potentially exposing organizations to legal and regulatory consequences.
Can you explain this vulnerability to me?
This vulnerability exists in the Gaatitrack Courier Management System version 1.0, specifically in the ajax.php file's delete_user action. The issue is due to missing authorization checks, allowing unauthenticated attackers to send a simple HTTP POST request to delete any user by specifying their user ID. There is no session validation or access control, so attackers can delete any registered user, including administrators, without logging in.
The deletion is permanent and affects the database directly, which can cause denial of service for legitimate users and loss of administrative control.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized deletion of any user account, even administrator accounts. This can lead to denial of service for legitimate users who lose their accounts and can also result in loss of administrative control over the system.
Because the deletion is permanent, it can cause irreversible data loss and disrupt normal operations of the courier management system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated HTTP POST requests sent to the endpoint /ajax.php?action=delete_user with a user ID parameter. An example detection method is to look for POST requests that attempt to delete users without proper authentication.
A simple test command to detect the vulnerability is to send an unauthenticated POST request to the endpoint with a valid user ID and observe if the server responds with a success indicator.
- curl -X POST "http://<target-host>/ajax.php?action=delete_user" -d "id=8"
If the response indicates success (e.g., returns '1') and the user record is deleted without authentication, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing mandatory global authentication checks at the entry point of ajax.php to restrict access to logged-in users only.
Additionally, enforce Role-Based Access Control (RBAC) to ensure that only users with administrative privileges can perform sensitive actions such as deleting users.
Consider using soft deletion techniques by marking records with an is_deleted flag instead of physically deleting them, to prevent irreversible data loss from malicious or accidental deletions.