CVE-2026-35552
Received
Received - Intake
Authenticated API License Deactivation in CAXperts UPVWebServices
Vulnerability report for CVE-2026-35552, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-08
Last updated on: 2026-07-08
Assigner: MITRE
Description
Description
In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's license.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| caxperts | upvwebservices | From 2.4.2212.603 (inc) to 2.7.6 (inc) |
| udith | portal | From 2026.0.0 (inc) to 2026.2.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |