CVE-2026-13549
Received Received - Intake

Authorization Bypass in CodeAstro Complaint Management System

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A security flaw has been discovered in CodeAstro Complaint Management System 1.0. The affected element is the function deletereport of the file application/controllers/Report.php of the component Report Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13549
EUVD
EUVD-2026-40051

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
codeastro complaint_management_system 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated attackers to permanently delete any report and its associated uploaded files from the server, resulting in complete data loss and potential destruction of sensitive complaint records and uploaded evidence files.

Such unauthorized data deletion and loss of sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection, integrity, and availability of personal and sensitive data.

Failure to protect complaint records and evidence files may lead to violations of data protection requirements, potentially resulting in legal and regulatory consequences.

Executive Summary

CVE-2026-13549 is a critical security vulnerability in the CodeAstro Complaint Management System 1.0. It affects the deletereport() function in the Report controller, which does not perform any authentication or authorization checks before deleting reports.

This flaw allows unauthenticated attackers to remotely send crafted requests to delete any report and its associated uploaded files permanently from the server.

The vulnerability arises because the deletion endpoint accepts GET requests without verifying user credentials or permissions.

Impact Analysis

Exploitation of this vulnerability can lead to complete data loss and denial of service by allowing attackers to delete sensitive complaint records and uploaded evidence files.

This can disrupt business operations, cause loss of critical information, and damage trust in the system's integrity.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP GET requests to the deletereport endpoint of the Complaint Management System.

Specifically, look for requests matching the pattern: http://<host>/ComplaintMS-CI/report/deletereport/<report_id> where <report_id> is any report identifier.

You can use network monitoring tools or web server logs to identify such requests.

  • Using command line, check web server access logs for suspicious GET requests: grep "/report/deletereport/" /var/log/apache2/access.log
  • Use curl to test if the endpoint allows unauthenticated deletion: curl -X GET http://<host>/ComplaintMS-CI/report/deletereport/1 -v
  • Monitor network traffic for GET requests to the deletereport endpoint using tools like tcpdump or Wireshark.
Mitigation Strategies

Immediate mitigation steps include enforcing strict authentication and authorization checks on the deletereport function.

Ensure that only authenticated and authorized users can perform delete operations.

Replace the use of GET requests for deletion with CSRF-protected POST requests to prevent unauthorized access.

Validate user sessions and verify user privileges before processing any deletion requests.

Additionally, monitor and restrict access to the vulnerable endpoint until a patch or update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart