CVE-2026-32699
Authentication Bypass via Nick Parameter in FacturaScripts
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| facturascripts | facturascripts | 2025.92 |
| neorazorx | facturascripts | to 2025.92 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-472 | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-32699 affects FacturaScripts versions up to 2025.92. It involves improper validation of the 'nick' parameter in the EditUser controller during a POST request. Although the user interface prevents editing this field, an attacker can intercept and modify the 'nick' parameter using a proxy tool, allowing them to rename any account, including the administrator account.
This leads to broken access control because the application processes the change without proper validation. An attacker can log out and log back in with the new username while keeping the original password, enabling identity impersonation and sabotage of audit logs.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to rename accounts, including administrator accounts, which breaks access control.
It enables identity impersonation, meaning an attacker can assume another user's identity without knowing their password.
It can also corrupt audit logs and data integrity because internal references to the original usernames become orphaned, undermining accountability and system integrity in a multi-user environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the EditUser controller for modifications to the 'nick' parameter, which should normally be immutable.
Using a proxy tool like Burp Suite, you can intercept and inspect POST requests to check if the 'nick' parameter is being altered.
There are no specific commands provided in the resources, but network traffic inspection or web application firewall (WAF) logs can be used to identify suspicious POST requests containing changes to the 'nick' parameter.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves preventing unauthorized modification of the 'nick' parameter during POST requests to the EditUser controller.
You should restrict access to the EditUser controller to trusted users only and monitor for unusual changes to user account names.
Using a web application firewall (WAF) to block or alert on POST requests that attempt to modify the 'nick' parameter can help mitigate exploitation.
Additionally, updating FacturaScripts to a version later than 2025.92, where this vulnerability is fixed, is recommended as a permanent solution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized modification of user account identifiers, including the administrator account, which leads to broken access control and potential audit log corruption.
Such unauthorized changes undermine data integrity and accountability, which are critical requirements in compliance frameworks like GDPR and HIPAA that mandate strict access controls and accurate audit trails.
By enabling identity impersonation and sabotage of audit logs, the vulnerability could result in non-compliance with these regulations due to failure to protect user identity and maintain reliable records of user actions.