CVE-2026-42569
Unauthenticated Access to Legacy Import in phpVMS
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpvms | phpvms | to 7.0.6 (exc) |
| phpvms | phpvms | 7.0.6 |
| phpvms | phpvms | 7.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42569 is a critical security vulnerability in phpVMS versions 7.x up to 7.0.5 that allows unauthenticated access to a legacy import feature.
This vulnerability arises from improper access control, missing authentication, and missing authorization checks, which enable remote attackers to trigger internal import processes without any user interaction.
The issue was fixed in version 7.0.6 by removing the web-facing importer feature and disabling the related routes, preventing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized modification or deletion of application data.
In the worst case, an attacker could perform a full database wipe, severely affecting the integrity and availability of the system.
Because the vulnerability allows unauthenticated remote access, it poses a high risk without requiring any user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated access to a legacy import feature in phpVMS versions 7.0.5 and earlier. Detection can focus on identifying if the vulnerable importer routes are present and accessible on your system.
You can check your phpVMS installation for the presence of the importer routes by searching for the line `$this->mapImporterRoutes();` in the codebase, typically in the file `app/Providers/RouteServiceProvider.php`.
To detect if the vulnerable importer feature is accessible over the network, you can attempt to access the `/importer` URL path on your phpVMS web server and observe if it responds.
- Use a command like `grep -r 'mapImporterRoutes' /path/to/phpvms` to find if the vulnerable route is enabled.
- Use `curl -I http://your-phpvms-domain/importer` or `wget --spider http://your-phpvms-domain/importer` to check if the importer endpoint is reachable.
If the route exists and the endpoint responds, your system is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade phpVMS to version 7.0.6 or later, where the vulnerable importer feature has been removed.
If upgrading immediately is not possible, a temporary workaround is to manually remove or comment out the line `$this->mapImporterRoutes();` from the `app/Providers/RouteServiceProvider.php` file to disable the vulnerable importer routes.
This action effectively prevents unauthenticated access to the legacy import feature and mitigates the risk of unauthorized data modification or deletion.
After applying the fix or upgrade, verify that the `/importer` endpoint is no longer accessible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in phpVMS allows unauthenticated access to a legacy import feature, which can lead to unauthorized modification or deletion of application data, including a full database wipe.
Such unauthorized access and potential data loss or tampering could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and availability.
By enabling remote attackers to modify or delete sensitive data without authentication, this vulnerability could result in violations of these regulations' requirements for protecting personal and sensitive information.
The issue has been patched in version 7.0.6 by removing the vulnerable feature, and users are strongly advised to upgrade to mitigate these compliance risks.