CVE-2026-54415
Deferred Deferred - Pending Action
Authorization Bypass in Azuriom CMS

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-54415
EUVD
EUVD-2026-37721
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
azuriom azuriom to 1.2.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in the server management routes of Azuriom CMS versions before 1.2.11. It allows an authenticated attacker who already has the admin.access permission to create AzLink server tokens and take over non-admin user accounts. The attacker can do this by sending crafted HTTP requests to specific endpoints such as /admin/servers/create and AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}), enabling them to change passwords and email addresses of other users without proper authorization.

Impact Analysis

The impact of this vulnerability is significant because it allows an attacker with limited admin permissions to escalate their control by taking over non-admin user accounts. This can lead to unauthorized access to user accounts, potential data breaches, and loss of trust in the system. The attacker can change critical user information such as passwords and email addresses, effectively locking out legitimate users and potentially causing disruption or misuse of the platform.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Azuriom CMS to version 1.2.11 or later, where missing permissions and authorization issues have been fixed.

Ensure that the new permission 'admin.servers' is properly configured to restrict access to server management routes.

Review and update your role permissions to prevent unauthorized users from accessing sensitive server management endpoints.

Compliance Impact

The vulnerability allows an authenticated attacker with admin.access permission to take over non-admin user accounts by changing their passwords and email addresses without proper authorization.

This unauthorized access and modification of user account information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over personal data access and modification.

Specifically, the ability to change email addresses and passwords of users without proper authorization undermines user data integrity and confidentiality, potentially resulting in non-compliance with standards that mandate protecting user identity and personal information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54415. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart