CVE-2026-38807
Insecure Permissions in kvf-admin v1.0.0
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kvf | kvf-admin | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Insecure Permissions issue found in kvf-admin version 1.0.0. It allows a remote attacker to escalate their privileges by exploiting the UserController.java component.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could gain higher privileges than intended, potentially allowing unauthorized access to sensitive functions or data within the kvf-admin application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized privilege escalation by enabling a low-privileged user to take over an administrator account through insecure permissions and lack of proper authorization checks.
Such unauthorized access and privilege escalation can lead to unauthorized access to sensitive data and administrative functions, which may violate compliance requirements of common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure in enforcing proper access controls and protecting user data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and intercepting HTTP requests to the user profile update endpoint (updateInfo) in the kvf-admin system. Specifically, look for requests where the user.id parameter is manipulated to target administrator accounts by low-privileged users.
Commands or tools that can help detect this include using a web proxy or interception tool such as Burp Suite or OWASP ZAP to capture and modify HTTP requests to the updateInfo endpoint.
- Use curl or similar tools to test if you can update another user's profile by changing the user.id parameter in the request.
- Example curl command to test privilege escalation (replace URL and parameters accordingly):
- curl -X POST https://your-kvf-admin-url/updateInfo -d "user.id=admin_id&username=newname" -b "session_cookie_for_low_priv_user"
If the request succeeds in changing the administrator's account details using a low-privileged session, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict the updateInfo endpoint to only allow users to update their own profiles by binding updates to the authenticated user's session.
- Implement proper authorization checks on the server side to verify that the user has permission to modify the requested user.id.
- Use allowlists to restrict which fields can be updated by non-administrative users.
- Separate administrative update APIs from regular user update APIs to prevent privilege escalation.
- Change or disable default credentials (e.g., test/123456) to prevent easy access to low-privileged accounts.