CVE-2026-53903
Received Received - Intake

Insecure Direct Object Reference in MCO Trading Document Fetch

Vulnerability report for CVE-2026-53903, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CERT.PL

Description

MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier. An attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1Β but may also affect other versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mycomplianceoffice mco to 25.3.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized access to sensitive trading documents of other users due to improper authorization checks. This unauthorized disclosure of sensitive information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.

Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in the MCO application, specifically in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint.

The application does not properly check if an authenticated user is authorized to access a requested document, allowing users to retrieve documents by supplying a document ID.

Because the document IDs follow predictable patterns, an attacker can guess or enumerate these IDs to access trading documents belonging to other users without permission.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive trading documents belonging to other users.

An attacker who successfully exploits this issue can access confidential information that they should not have access to, potentially leading to privacy breaches or misuse of sensitive data.

Detection Guidance

This vulnerability involves an Insecure Direct Object Reference (IDOR) in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint, where an attacker can access documents by providing a user-supplied document ID.

To detect this vulnerability on your system or network, you can attempt to access the fetchPdfStatement endpoint with different document IDs while authenticated, to see if documents belonging to other users are accessible.

Commands or tools that can be used include curl or any HTTP client to send requests with varying document IDs and observe if unauthorized documents are returned.

  • Example curl command to test access to a document ID: curl -i -H "Authorization: Bearer <token>" "https://<mco-server>/customer/servlet/mco/webapi/trading-document/fetchPdfStatement?documentId=<id>"
  • Automate enumeration by scripting requests with sequential or predictable document IDs to check for unauthorized access.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to only authorized users and implementing proper authorization checks to ensure users can only access their own documents.

If possible, disable or restrict the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint until a patch or fix is applied.

Monitor access logs for unusual or repeated requests with varying document IDs that may indicate exploitation attempts.

Contact the vendor or check for updates or patches addressing this vulnerability, especially for version 25.3.3.1 and potentially other versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart