CVE-2026-10152
Description
A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The manipulation results in improper access controls. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated access in lin-cms-spring-boot BookController allows remote attackers to create and update books without authorization.
Vulnerability
A vulnerability exists in TaleLin lin-cms-spring-boot up to version 0.2.1 in the BookController.java file. The POST /v1/book endpoint (line 63) and the PUT /v1/book/{id} endpoint (line 70) lack any permission verification, allowing unauthenticated remote attackers to create arbitrary books and update any existing book's information. The id parameter in the PUT endpoint is predictable and enumerable, enabling attackers to target all stored books [1].
Exploitation
An attacker needs only network access to the vulnerable application. No authentication or prior knowledge is required. For arbitrary book creation, a POST request with a JSON body containing fields like title, author, and summary is sent to /v1/book. For updating any existing book, a PUT request to /v1/book/{id} with the desired fields is sent; the attacker can iterate through sequential id values to modify all books [1]. The exploit is publicly available.
Impact
Successful exploitation allows an attacker to create unauthorized book records and modify the information of any existing book in the database. This results in unauthorized data manipulation, compromising the integrity of the CMS content. No privilege escalation or data disclosure beyond the book entity is described, but the ability to alter stored data can lead to further abuse [1].
Mitigation
As of the publication date, the project maintainers have not responded to the issue report, and no official fix has been released. Users of lin-cms-spring-boot version 0.2.1 or earlier should implement access controls manually, such as adding authentication checks to the affected endpoints, or restrict network access to the application. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing permission checks on the createBook() and updateBook() methods in BookController allow unauthenticated create/update operations."
Attack vector
An attacker sends a POST request to `/v1/book` with arbitrary JSON fields (title, author, summary, image) to create a book without any authentication. Similarly, a PUT request to `/v1/book/{id}` with the same JSON body updates any existing book; the `id` parameter is predictable and enumerable, enabling an attacker to iterate through IDs and modify every book in the database. [ref_id=1]
Affected code
The vulnerability resides in `src/main/java/io/github/talelin/latticy/controller/v1/BookController.java`. The `createBook()` method at line 63 (POST `/v1/book`) and the `updateBook()` method at line 70 (PUT `/v1/book/{id}`) lack any permission verification, allowing unauthenticated creation and modification of book records. [ref_id=1]
What the fix does
The advisory recommends adding permission annotations (e.g., `@RequiresPermissions` or similar Spring Security annotations) to the `createBook()` and `updateBook()` methods in `BookController.java`. No patch has been published by the project maintainers as of the advisory date. [ref_id=1]
Preconditions
- networkAttacker must be able to reach the /v1/book endpoint (network access).
- authNo authentication or session is required; the endpoint is fully unauthenticated.
Reproduction
The advisory provides a full PoC: send `POST /v1/book` with JSON body `{"title":"TEST","author":"TEST","summary":"TEST","image":"TEST.jsp"}` to create a book without authentication. To update, send `PUT /v1/book/6` with JSON body `{"title":"Hacker","author":"Hacker","summary":"Hacker","image":"Hacker.jsp"}`. [ref_id=1]
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.