CVE-2026-5781
Analyzed Analyzed - Analysis Complete
Authorization Bypass in MphRx Minerva V3.6.0 Enables Privilege Escalation

Publication date: 2026-04-28

Last updated on: 2026-05-28

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5781
EUVD
EUVD-2026-26040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agilonhealth minerva 3.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user with user modification privileges to escalate their privileges to administrator level by manipulating the 'identifier' field in an HTTP request. This unauthorized privilege escalation could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access and privilege escalation could potentially impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Executive Summary

This vulnerability exists in MphRx's Minerva version 3.6.0, specifically in the '/minerva/moUser/update' endpoint. It allows an authenticated user who already has user modification privileges to escalate their privileges by sending a specially crafted HTTP request with a manipulated 'identifier' field.

Exploitation of this vulnerability can grant the attacker administrator privileges, which they would not normally have. Notably, this privilege escalation cannot be performed through the graphical user interface, only via direct HTTP requests.

Impact Analysis

If exploited, this vulnerability can allow an authenticated user with limited privileges to gain administrator-level access. This elevated access could enable the attacker to perform unauthorized actions, modify critical system settings, access sensitive data, or disrupt normal operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart