CVE-2026-6492
Information Disclosure via Health Check Endpoint in arnobt78 Hotel Booking System
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the arnobt78 Hotel Booking Management System, specifically in an unknown function within the /api/health/detailed file of the Health Check Endpoint component.
By manipulating this endpoint, an attacker can cause information disclosure, meaning sensitive information may be exposed.
The vulnerability can be exploited remotely, and the exploit code is publicly available.
How can this vulnerability impact me? :
The primary impact of this vulnerability is information disclosure, which means that sensitive or confidential data could be exposed to unauthorized parties.
Since the vulnerability can be exploited remotely without authentication, attackers can access this information without needing prior access or credentials.
This could lead to privacy breaches, loss of trust, or further attacks leveraging the disclosed information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability results in information disclosure through the Health Check Endpoint of the arnobt78 Hotel Booking Management System. Such unauthorized information disclosure can potentially impact compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.
However, the provided context does not specify the nature or sensitivity of the disclosed information, nor does it explicitly link the vulnerability to any compliance violations or regulatory impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an information disclosure issue in the /api/health/detailed endpoint of the arnobt78 Hotel Booking Management System. Detection can be attempted by sending crafted requests to this endpoint and observing if sensitive information is disclosed.
A possible command to test this could be using curl to send a request to the endpoint, for example: curl -v http://<target-host>/api/health/detailed
Monitoring network traffic for unusual or unexpected responses from this endpoint may also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /api/health/detailed endpoint to trusted users or internal networks only.
Implementing network-level controls such as firewalls or access control lists to limit exposure of this endpoint can reduce risk.
Monitoring for exploit attempts and applying any available patches or updates from the vendor as soon as they become available is recommended.
Since the vendor has not responded and the exploit is public, consider disabling or restricting the health check endpoint if possible until a fix is released.