CVE-2026-5781
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass in MphRx Minerva V3.6.0 Enables Privilege Escalation

Publication date: 2026-04-28

Last updated on: 2026-05-05

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-04-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5781
EUVD
EUVD-2026-26040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agilonhealth minerva 3.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated user with user modification privileges to escalate their privileges to administrator level by manipulating the 'identifier' field in an HTTP request. This unauthorized privilege escalation could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access and privilege escalation could potentially impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not explicitly state the direct effects on compliance with these standards.


Can you explain this vulnerability to me?

This vulnerability exists in MphRx's Minerva version 3.6.0, specifically in the '/minerva/moUser/update' endpoint. It allows an authenticated user who already has user modification privileges to escalate their privileges by sending a specially crafted HTTP request with a manipulated 'identifier' field.

Exploitation of this vulnerability can grant the attacker administrator privileges, which they would not normally have. Notably, this privilege escalation cannot be performed through the graphical user interface, only via direct HTTP requests.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an authenticated user with limited privileges to gain administrator-level access. This elevated access could enable the attacker to perform unauthorized actions, modify critical system settings, access sensitive data, or disrupt normal operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart