CVE-2026-51119
Received Received - Intake

Privilege Escalation in Invixium IXM WEB

Vulnerability report for CVE-2026-51119, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: MITRE

Description

An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
invixium ixm_web 2.3.85.25

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-51119 is a privilege escalation vulnerability in Invixium IXM WEB version 2.3.85.25. It occurs because the server does not properly check if a user has administrator privileges before allowing access to the /SystemUsers/CreateAppUser endpoint.

An authenticated user with low privileges can exploit this flaw to create a new administrator account, thereby gaining full administrative access to the application.

The root cause is missing server-side authorization checks on the POST /SystemUsers/CreateAppUser endpoint.

Impact Analysis

This vulnerability allows an attacker who already has a valid authenticated user account to escalate their privileges to administrator level.

Once exploited, the attacker can create new administrator accounts, manage users, and perform any administrative functions within the Invixium IXM WEB application.

This could lead to unauthorized access to sensitive data, manipulation of user accounts, and potentially full control over the system's security and management features.

Detection Guidance

This vulnerability can be detected by monitoring and testing the /SystemUsers/CreateAppUser endpoint on Invixium IXM WEB v2.3.85.25 for improper authorization.

Specifically, an authenticated low-privileged user should not be able to successfully create a new administrator account via a POST request to this endpoint.

To detect exploitation attempts or verify vulnerability, you can use commands like curl to simulate POST requests to the endpoint with low-privileged credentials and observe if the server allows creation of admin users.

  • curl -X POST -u lowprivuser:password https://target-system/SystemUsers/CreateAppUser -d '{"username":"newadmin","role":"administrator"}' -H 'Content-Type: application/json'

If the request succeeds and creates an admin user without proper authorization, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /SystemUsers/CreateAppUser endpoint to only trusted administrator accounts.

Ensure that proper server-side authorization checks are implemented to verify that only users with administrator privileges can create new users with elevated rights.

If possible, temporarily disable or firewall the vulnerable endpoint to prevent exploitation until a patch or update is applied.

Monitor logs for suspicious POST requests to this endpoint from low-privileged users.

Contact Invixium for official patches or updates addressing this vulnerability.

Compliance Impact

The vulnerability in Invixium IXM WEB v2.3.85.25 allows an authenticated low-privileged user to escalate privileges by creating a new administrator account without proper authorization checks. This could lead to unauthorized access and control over sensitive user and system data.

Such unauthorized privilege escalation can potentially compromise the confidentiality, integrity, and availability of personal and sensitive data managed by the system, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal information.

However, the provided information does not explicitly mention the direct impact on compliance with these standards or any specific regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart