CVE-2026-13544
Received Received - Intake

Improper Access Control in Feehi CMS API

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13544
EUVD
EUVD-2026-40044

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
feehi cms to 2.1.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Feehi CMS version 2.1.1 involves improper access controls in the API UserController, specifically affecting the /api/users endpoints.

  • Any authenticated user with a valid token can delete other user accounts arbitrarily via the DELETE endpoints /api/users/{id} and /api/v1/users/{id} without proper authorization.
  • Additionally, any authenticated user can enumerate sensitive Personally Identifiable Information (PII) such as usernames, email addresses, and status by accessing GET /api/users and GET /api/users/{id} endpoints without proper permission checks.

These issues arise because the API does not restrict these actions to admin users, allowing unauthorized data access and user deletion.

Impact Analysis

This vulnerability can have several impacts:

  • Unauthorized deletion of user accounts can lead to data loss and denial of service for legitimate users.
  • Exposure of sensitive user information such as usernames and email addresses can lead to privacy breaches and potential targeted attacks.
  • Attackers can enumerate all registered users, increasing the risk of further exploitation or social engineering.
Detection Guidance

This vulnerability can be detected by monitoring API requests to the Feehi CMS endpoints related to user management, specifically the DELETE and GET requests to /api/users and /api/users/{id}.

  • Check for unauthorized DELETE requests to /api/users/{id} or /api/v1/users/{id} that result in user deletions.
  • Look for GET requests to /api/users or /api/users/{id} that return sensitive user information without proper authorization.

Suggested commands using curl to test for the vulnerability (requires a valid authentication token):

  • To test unauthorized user deletion (replace {id} and {token}): curl -X DELETE -H "Authorization: Bearer {token}" https://your-feehi-cms-domain/api/users/{id}
  • To test unauthorized PII enumeration: curl -X GET -H "Authorization: Bearer {token}" https://your-feehi-cms-domain/api/users
Mitigation Strategies

Immediate mitigation steps involve restricting access to the vulnerable API endpoints to prevent unauthorized actions.

  • Modify the UserController's behaviors() method to restrict DELETE actions to admin-only users, preventing arbitrary user deletions.
  • Restrict GET actions on /api/users and /api/users/{id} to admin-only access or filter out sensitive fields such as email addresses for non-admin users to prevent PII enumeration.

Until an official patch or update is released, consider monitoring and blocking suspicious API requests and enforcing strict authentication and authorization policies.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13544. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart