CVE-2026-36721
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36721
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bookcars bookcars 8.3
bookcars bookcars to 8.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-36721 is an authorization bypass vulnerability in BookCars software versions up to and including v8.3. The issue arises because the authentication middleware incorrectly relies on the Origin header to determine user roles and permissions. Attackers can spoof this header to impersonate a regular user, which allows them to bypass authentication and gain unauthorized access to admin-only endpoints.

This vulnerability is caused by improper role-based access control (RBAC) implementation, where permissions are inferred from client-controlled headers instead of validating the user's actual role stored in the database.

Impact Analysis

This vulnerability can allow attackers to bypass authentication and gain unauthorized access to sensitive administrative functions within the BookCars application. For example, attackers can access admin-only endpoints such as /api/users, potentially leading to unauthorized data access, modification, or other administrative actions that should be restricted.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP requests to the affected BookCars application, specifically looking for requests where the Origin header is spoofed to match the frontend host value. Such requests may indicate attempts to bypass authentication and access admin-only endpoints.

You can use network traffic inspection tools like curl or tcpdump to observe suspicious requests. For example, using curl to test access to an admin endpoint with a spoofed Origin header:

  • curl -H "Origin: https://frontend.bookcars.example" https://your-bookcars-server/api/users

Additionally, inspecting server logs for requests to admin endpoints that include unusual or unexpected Origin headers can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves fixing the improper role-based access control (RBAC) implementation by explicitly defining required roles at the endpoint level and validating the user's actual role from the database rather than relying on client-controlled headers like Origin.

Specifically, update the authentication middleware to stop using the Origin header for permission checks and instead verify user roles securely from the backend database.

As a temporary measure, monitor and block requests with suspicious Origin headers attempting to access admin endpoints.

Compliance Impact

This vulnerability allows attackers to bypass authentication and gain unauthorized access to sensitive administrative functions by exploiting improper role-based access control. Such unauthorized access to sensitive data or administrative controls can lead to violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Specifically, failure to properly verify user roles and permissions may result in unauthorized disclosure or modification of protected data, undermining compliance with data protection and privacy requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart