CVE-2026-10152
Deferred Deferred - Pending Action
Improper Access Control in lin-cms-spring-boot

Publication date: 2026-05-30

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The manipulation results in improper access controls. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-01
Generated
2026-06-20
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-10152
EUVD
EUVD-2026-33471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tale_lin lin_cms_spring_boot to 0.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Lin-CMS Spring Boot framework version 0.2.1, specifically in the BookController component. It is caused by missing permission checks in two endpoints: the POST /v1/book endpoint for creating books and the PUT /v1/book/{id} endpoint for updating books. Because these endpoints lack proper access control, unauthenticated attackers can create arbitrary books or modify any existing book's information without needing to authenticate.

The update endpoint uses a predictable ID pattern, which allows attackers to iterate through book IDs and modify all books in the database. This improper access control can be exploited remotely.

Impact Analysis

This vulnerability can lead to unauthorized creation and modification of book records in the affected system. Attackers can manipulate book data without authentication, potentially corrupting or defacing content, injecting malicious data, or disrupting normal operations.

Because the attacker can update any book by iterating through predictable IDs, the entire book database is at risk of unauthorized changes, which can compromise data integrity and trustworthiness.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST and PUT requests to the endpoints /v1/book and /v1/book/{id} respectively, which lack proper permission checks.

You can use commands like curl to test these endpoints for unauthorized access by attempting to create or update book entries without authentication.

  • curl -X POST http://<target>/v1/book -d '{"title":"TEST"}' -H 'Content-Type: application/json'
  • curl -X PUT http://<target>/v1/book/1 -d '{"title":"Hacker"}' -H 'Content-Type: application/json'

Additionally, network monitoring tools can be configured to alert on such suspicious requests targeting these endpoints.

Mitigation Strategies

The immediate mitigation step is to implement proper permission checks on the affected endpoints in the BookController, specifically the createBook and updateBook methods.

Adding permission annotations to these methods will enforce access control and prevent unauthorized users from creating or modifying book entries.

Until a patch is applied, restrict access to these endpoints by network-level controls such as firewalls or API gateways to limit exposure.

Compliance Impact

The vulnerability in TaleLin lin-cms-spring-boot version 0.2.1 allows unauthenticated attackers to perform unauthorized operations on the BookController endpoints, specifically creating and updating book records without proper access control.

This improper access control could lead to unauthorized modification or creation of data, which may result in data integrity and confidentiality issues.

Such unauthorized access and manipulation of data could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

However, the exact impact on compliance depends on the nature of the data managed by the affected system and whether personal or protected health information is involved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10152. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart