CVE-2026-3020

Vulnerability

Overview CVE-2026-3020 is an identity-based authorization bypass (IDOR) vulnerability in the Wakyma web application, a management and marketing platform for veterinary centers [1]. The root cause is the application's failure to properly verify that the authenticated user is authorized to modify the data of a specific target account. This allows an authenticated attacker to manipulate requests that reference a victim user's identifier without appropriate access control checks [1].

Exploitation

The attack can be carried out remotely over the network by an authenticated attacker with low privileges; no user interaction is required [1]. By leveraging the IDOR, the attacker can perform sensitive operations on behalf of another user, such as changing the victim's email address, validating the new email, and requesting a new password for the victim's account [1]. These actions do not require the victim to be tricked or to perform any action themselves.

Impact

Successful exploitation grants the attacker the ability to take complete control of the victim's legitimate account [1]. Once the email is changed and a password reset is triggered, the attacker can set a new password and log in as the victim. This compromise can lead to unauthorized access to sensitive data managed through the veterinary center's software, with potential consequences for data confidentiality and integrity of the affected user's account (CVSS v4.0 base score 8.6, High severity) [1].

Mitigation

The vendor, Wakyma, resolved the vulnerability in the continuous integration pipeline deployed to production as of February 19, 2026 [1]. Users of the Wakyma web application are advised to ensure they are running the latest version from that date or later. No workarounds are mentioned in the advisory; applying the vendor's fix is the recommended course of action [1].