CVE-2026-57869
Received Received - Intake

Unauthorized Document Access in MicroRealEstate Due to Broken Object-Level Access Controls

Vulnerability report for CVE-2026-57869, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: The Missing Link Australia (TML)

Description

Broken object-level access controls and the use of a deterministic pattern during random ID generation in MicroRealEstate allows attackers to access documents uploaded by landlords or tenants without authorization. This issue affects MicroRealEstate: through 1.0.0-alpha3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
camel_aissani microrealestate to 1.0.0-alpha3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1241 The device uses an algorithm that is predictable and generates a pseudo-random number.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57869 is a Broken Access Control vulnerability in the Documents API of Camel Aissani’s MicroRealEstate Client Portal.

The issue arises because the platform uses a deterministic pattern to generate random identifiers for organizations, which significantly reduces the randomness (entropy) of these IDs.

Attackers can exploit this weakness by brute-forcing these predictable IDs to gain unauthorized access to documents uploaded by landlords or tenants.

This vulnerability affects MicroRealEstate versions up to 1.0.0-alpha3, and no fixed versions are currently available.

Impact Analysis

This vulnerability allows attackers to access sensitive documents uploaded by landlords or tenants without authorization.

Such unauthorized access can lead to exposure of private or confidential information, potentially resulting in privacy breaches, identity theft, or misuse of personal data.

Because the identifiers are predictable, attackers can systematically brute-force and retrieve multiple documents, increasing the scope of the impact.

Mitigation Strategies

There are currently no fixed versions available for MicroRealEstate that address this vulnerability.

Since the vulnerability arises from the use of a deterministic pattern in ID generation allowing brute-force attacks, immediate mitigation steps could include restricting access to the Documents API, implementing additional access controls, monitoring for unusual access patterns, and limiting exposure of the affected service.

Compliance Impact

The vulnerability in MicroRealEstate allows unauthorized access to documents uploaded by landlords or tenants due to broken object-level access controls and predictable ID generation. This unauthorized access to potentially sensitive personal and tenant information could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

Specifically, the ability for attackers to brute-force document identifiers and access confidential documents undermines the confidentiality and integrity principles mandated by these regulations, potentially resulting in non-compliance and associated legal and financial consequences.

Detection Guidance

This vulnerability involves broken object-level access controls and the use of deterministic patterns in ID generation, allowing unauthorized access to documents via brute-forcing predictable IDs.

To detect this vulnerability on your system, you can attempt to access document resources by enumerating or brute-forcing document or organization IDs following the deterministic pattern used by the application.

Suggested commands include using tools like curl or wget to send HTTP requests to the Documents API endpoints with sequential or patterned IDs to check if unauthorized access is possible.

  • Example curl command to test access to document IDs: curl -i -X GET "http://<microrealestate-host>/api/documents/<document_id>"
  • Automate brute-force attempts with a script or tools like Burp Suite Intruder or wfuzz to iterate over possible document or organization IDs.

Monitoring logs for repeated failed or successful access attempts to document endpoints with varying IDs can also help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart