CVE-2026-38807
Deferred Deferred - Pending Action
Insecure Permissions in kvf-admin v1.0.0

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: MITRE

Description
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38807
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kvf kvf-admin 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized privilege escalation by enabling a low-privileged user to take over an administrator account through insecure permissions and lack of proper authorization checks.

Such unauthorized access and privilege escalation can lead to unauthorized access to sensitive data and administrative functions, which may violate compliance requirements of common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure in enforcing proper access controls and protecting user data.

Executive Summary

This vulnerability is an Insecure Permissions issue found in kvf-admin version 1.0.0. It allows a remote attacker to escalate their privileges by exploiting the UserController.java component.

Impact Analysis

An attacker exploiting this vulnerability could gain higher privileges than intended, potentially allowing unauthorized access to sensitive functions or data within the kvf-admin application.

Detection Guidance

This vulnerability can be detected by monitoring and intercepting HTTP requests to the user profile update endpoint (updateInfo) in the kvf-admin system. Specifically, look for requests where the user.id parameter is manipulated to target administrator accounts by low-privileged users.

Commands or tools that can help detect this include using a web proxy or interception tool such as Burp Suite or OWASP ZAP to capture and modify HTTP requests to the updateInfo endpoint.

  • Use curl or similar tools to test if you can update another user's profile by changing the user.id parameter in the request.
  • Example curl command to test privilege escalation (replace URL and parameters accordingly):
  • curl -X POST https://your-kvf-admin-url/updateInfo -d "user.id=admin_id&username=newname" -b "session_cookie_for_low_priv_user"

If the request succeeds in changing the administrator's account details using a low-privileged session, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict the updateInfo endpoint to only allow users to update their own profiles by binding updates to the authenticated user's session.
  • Implement proper authorization checks on the server side to verify that the user has permission to modify the requested user.id.
  • Use allowlists to restrict which fields can be updated by non-administrative users.
  • Separate administrative update APIs from regular user update APIs to prevent privilege escalation.
  • Change or disable default credentials (e.g., test/123456) to prevent easy access to low-privileged accounts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart