CVE-2026-11521
Description
Improper authorization in Mohammed-eid35 bank-management-system-springboot allows unauthenticated remote transactions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper authorization in Mohammed-eid35 bank-management-system-springboot allows unauthenticated remote transactions.
Vulnerability
A security vulnerability exists in Mohammed-eid35 bank-management-system-springboot up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. The TransactionController.java component, specifically the /transaction/deposit and /transaction/withdraw endpoints, fails to enforce authentication and authorization checks. This allows unauthenticated requests to reach these critical transaction endpoints because the Spring Security configuration permits access to /transaction/** without proper validation [1]. The project uses a rolling release model, so specific affected and updated versions are not detailed [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attacker needs to know a valid card_number to initiate a deposit or a valid card_number and cvv to initiate a withdrawal. The backend does not verify the user's identity or account ownership, directly processing transactions based on these provided identifiers. The exploit involves sending POST requests to the /transaction/deposit or /transaction/withdraw endpoints with the necessary card details [1].
Impact
Successful exploitation allows an attacker to perform unauthorized deposits and withdrawals on behalf of any user whose card number and potentially CVV are known. This directly impacts the confidentiality and integrity of user accounts, leading to financial loss and unauthorized modification of account balances. The scope of the compromise is limited to the accounts for which the attacker possesses the required identifiers [1].
Mitigation
As of the available references, no specific patched version or release date has been disclosed. The project was informed of the issue early but has not yet responded. There are no workarounds mentioned, and the product's rolling release model means specific version details are unavailable. The vulnerability has been publicly disclosed and may be actively exploited [1, 2].
- Unauthenticated access to transaction endpoints allows unauthorized deposits and withdrawals
- GitHub - Mohammed-eid35/bank-management-system-springboot: Welcome to the Bank Management System repository built using Spring Boot! This project is designed to provide a foundation for managing banking operations using modern web technologies.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Critical transaction endpoints are missing authentication and authorization checks."
Attack vector
The application exposes transaction endpoints to unauthenticated users because `/transaction/**` is permitted in the Spring Security configuration. An attacker can send POST requests to `/transaction/deposit` with a valid `card_number` or to `/transaction/withdraw` with a valid `card_number` and `cvv`. The backend does not verify the current user identity or account ownership before processing the transaction, directly using the supplied identifiers. This allows unauthorized deposits and withdrawals remotely [ref_id=1].
Affected code
The vulnerability resides in the `TransactionController.java` file, specifically affecting the transaction endpoints. The security configuration in `SecurityConfiguration.java` incorrectly allows unauthenticated access to these endpoints. The `TransactionServiceImpl.java` also processes transactions without verifying user identity or account ownership [ref_id=1].
What the fix does
The advisory suggests removing `/transaction/**` from `permitAll()` in the Spring Security configuration. It also recommends requiring authentication for transaction endpoints and verifying that the target account belongs to the authenticated user. This would ensure that only authorized users can perform financial operations and that transactions are processed only after proper identity and ownership checks [ref_id=1].
Preconditions
- authNo authentication is required to access the transaction endpoints [ref_id=1].
- inputAn attacker needs to know a valid card number for deposits, and a valid card number plus CVV for withdrawals [ref_id=1].
Reproduction
Register a user to obtain a JWT token. Use this token to create an account and note the `card_number` and `cvv`. Then, send unauthenticated POST requests to `/transaction/deposit` with the `card_number` and to `/transaction/withdraw` with the `card_number` and `cvv`. Finally, use the authenticated token to fetch the account and confirm the balance has been modified by the unauthenticated requests [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.