CVE-2026-11521
Received Received - Intake
Improper Authorization in Bank Management System SpringBoot

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the component Transaction Endpoint. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11521
EUVD
EUVD-2026-35075
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability (CVE-2026-11521) exists in the Mohammed-eid35 bank-management-system-springboot application, specifically in the transaction endpoints for deposit and withdrawal.

Due to a misconfiguration in Spring Security, the endpoints `/transaction/deposit` and `/transaction/withdraw` are accessible without proper authentication.

The system does not verify the user's identity or account ownership before processing transactions, relying only on the card number (for deposits) or card number plus CVV (for withdrawals) provided in the request.

An attacker who knows these identifiers can perform unauthorized financial transactions remotely without a valid session.

Compliance Impact

The vulnerability allows unauthenticated users to perform unauthorized financial transactions by exploiting misconfigured security on transaction endpoints. This improper authorization and lack of user identity verification can lead to unauthorized access to sensitive financial data and transactions.

Such unauthorized access and potential financial loss could result in non-compliance with regulations that require strict access controls and protection of personal and financial data, such as GDPR and HIPAA. Specifically, GDPR mandates protecting personal data against unauthorized processing, and HIPAA requires safeguarding patient financial information and ensuring proper authorization.

Therefore, this vulnerability undermines compliance with these standards by failing to enforce proper authentication and authorization controls, potentially exposing sensitive data and financial transactions to unauthorized parties.

Impact Analysis

This vulnerability allows unauthorized users to perform financial transactions such as deposits and withdrawals without proper authentication.

As a result, attackers can cause financial loss by manipulating accounts they do not own.

The lack of proper authorization checks means sensitive financial operations can be exploited remotely, increasing the risk of fraud and unauthorized access.

Detection Guidance

This vulnerability can be detected by checking if the transaction endpoints `/transaction/deposit` and `/transaction/withdraw` are accessible without authentication. An attacker can perform unauthorized transactions by sending requests containing only card number and CVV without a valid session.

To detect this on your system or network, you can attempt to access these endpoints without authentication and observe if transactions are processed.

  • Use curl commands to test the endpoints without authentication, for example:
  • curl -X POST http://yourserver/transaction/deposit -d '{"cardNumber":"1234567890123456", "amount":100}' -H "Content-Type: application/json"
  • curl -X POST http://yourserver/transaction/withdraw -d '{"cardNumber":"1234567890123456", "cvv":"123", "amount":50}' -H "Content-Type: application/json"

If these commands succeed without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves securing the transaction endpoints by requiring proper authentication and authorization.

  • Remove `/transaction/**` from the `permitAll()` configuration in the Spring Security settings.
  • Ensure that the system verifies the identity of the user and confirms that the target account belongs to the authenticated user before processing any transaction.

These steps prevent unauthenticated users from performing unauthorized deposits or withdrawals.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart