CVE-2026-10152
Improper Access Control in lin-cms-spring-boot
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tale_lin | lin_cms_spring_boot | to 0.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Lin-CMS Spring Boot framework version 0.2.1, specifically in the BookController component. It is caused by missing permission checks in two endpoints: the POST /v1/book endpoint for creating books and the PUT /v1/book/{id} endpoint for updating books. Because these endpoints lack proper access control, unauthenticated attackers can create arbitrary books or modify any existing book's information without needing to authenticate.
The update endpoint uses a predictable ID pattern, which allows attackers to iterate through book IDs and modify all books in the database. This improper access control can be exploited remotely.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized creation and modification of book records in the affected system. Attackers can manipulate book data without authentication, potentially corrupting or defacing content, injecting malicious data, or disrupting normal operations.
Because the attacker can update any book by iterating through predictable IDs, the entire book database is at risk of unauthorized changes, which can compromise data integrity and trustworthiness.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST and PUT requests to the endpoints /v1/book and /v1/book/{id} respectively, which lack proper permission checks.
You can use commands like curl to test these endpoints for unauthorized access by attempting to create or update book entries without authentication.
- curl -X POST http://<target>/v1/book -d '{"title":"TEST"}' -H 'Content-Type: application/json'
- curl -X PUT http://<target>/v1/book/1 -d '{"title":"Hacker"}' -H 'Content-Type: application/json'
Additionally, network monitoring tools can be configured to alert on such suspicious requests targeting these endpoints.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to implement proper permission checks on the affected endpoints in the BookController, specifically the createBook and updateBook methods.
Adding permission annotations to these methods will enforce access control and prevent unauthorized users from creating or modifying book entries.
Until a patch is applied, restrict access to these endpoints by network-level controls such as firewalls or API gateways to limit exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in TaleLin lin-cms-spring-boot version 0.2.1 allows unauthenticated attackers to perform unauthorized operations on the BookController endpoints, specifically creating and updating book records without proper access control.
This improper access control could lead to unauthorized modification or creation of data, which may result in data integrity and confidentiality issues.
Such unauthorized access and manipulation of data could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.
However, the exact impact on compliance depends on the nature of the data managed by the affected system and whether personal or protected health information is involved.