CVE-2026-16210
Received Received - Intake

Authentication Bypass in SimpleUI via AjaxAdmin

Vulnerability report for CVE-2026-16210, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was found in newpanjing simpleui 2026.01.13. This affects the function self.get_action of the file simpleui/admin.py of the component AjaxAdmin AJAX Endpoint. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
newpanjing simpleui 2026.01.13

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the SimpleUI library's AjaxAdmin class, which registers custom AJAX endpoints without enforcing Django admin authentication. Attackers can send POST requests to these endpoints with action names and selected items, executing admin actions without proper authorization. The issue occurs because the endpoints do not verify authentication, staff status, or action permissions before executing actions.

Detection Guidance

Check for unauthorized POST requests to /ajax or /layer endpoints in your Django admin interface. Monitor logs for requests to these paths with action parameters. Use tools like curl to test if actions can be executed without authentication: curl -X POST http://<target>/ajax -d 'action=<action_name>&selected=1'

Impact Analysis

An attacker could exploit this to perform unauthorized actions such as data export, modification, or destructive bulk operations if the application has registered such actions. This could lead to data breaches, unauthorized changes, or system disruptions.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating GDPR's data protection requirements and HIPAA's security rules for protected health information. Non-compliance may result in legal penalties, fines, or reputational damage.

Mitigation Strategies

Apply the suggested fix by wrapping custom views with Django admin's admin_view decorator in get_urls(). Ensure action authorization by checking self.get_actions(request) before execution. Reject unsafe HTTP methods and preserve Django admin's CSRF protection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart