CVE-2026-36720
Deferred Deferred - Pending Action
Insecure Permission Escalation in BookCars

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bookcars bookcars 8.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BookCars software version 8.3 and earlier, specifically in the /api/update-user endpoint. Authenticated users can exploit insecure permissions to change their own user type without proper authorization checks.

The application accepts a 'type' parameter from user input and applies it directly, allowing attackers to escalate their privileges from a regular user to an administrator.

The flaw is due to missing role-based restrictions in the update function of the user controller, which processes user updates without verifying if the user has sufficient privileges to modify their role.

Impact Analysis

This vulnerability can lead to a complete compromise of the application's access control system.

  • An attacker who is an authenticated user can escalate their privileges to administrator level.
  • With admin privileges, the attacker can perform any administrative actions, potentially leading to unauthorized data access, modification, or deletion.
  • This can result in loss of data integrity, confidentiality, and overall system security.
Detection Guidance

This vulnerability can be detected by monitoring requests to the `/api/update-user` endpoint where the `type` parameter is being modified by authenticated users. Specifically, look for attempts where a user changes their own user type to an administrator without proper authorization.

Commands to detect such activity could include inspecting web server logs or using network monitoring tools to filter HTTP requests that contain the `type` parameter in the `/api/update-user` endpoint.

  • Use grep or similar tools on server logs to find suspicious requests: `grep '/api/update-user' /var/log/nginx/access.log | grep 'type=admin'`
  • Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to `/api/update-user` containing the `type` parameter.
  • Implement application-level logging to record all user type modification attempts for auditing.
Mitigation Strategies

Immediate mitigation steps include implementing proper authorization checks to ensure that only administrators can modify user types.

Remove or disable the ability for users to update their own roles through the `/api/update-user` endpoint.

Apply role-based access control (RBAC) to restrict privileged operations related to user type modifications.

Enable logging of all user type modification attempts to facilitate security auditing and detect potential abuse.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart