CVE-2026-31070

Vulnerability

The LalanaChami Pharmacy Management System (commit 5c3d028) contains an authentication bypass vulnerability in the /api/user/signup endpoint. The endpoint fails to validate the role parameter in the request body, allowing any unregistered user to set their role to "admin" during account creation. No authentication is required to reach this endpoint, and no server-side checks prevent privilege escalation. The same repository also exposes multiple other APIs (e.g., getUserData) without authentication, as detailed in the reference [1].

Exploitation

An attacker with network access to the application can send a POST request to /api/user/signup with a crafted JSON body containing a role field set to an administrative value (e.g., "admin"). No prior authentication, user interaction, or special privileges are needed. The server will create a new user account with full administrative privileges, allowing the attacker to then log in and access all subsequent API endpoints [1].

Impact

Successful exploitation grants the attacker complete control over the Pharmacy Management System. The attacker can read all data, including user records with bcrypt password hashes, drug inventory, doctor prescriptions, and financial records. Additionally, limited write access enables unauthorized creation, modification, and deletion of users, inventory items, and medical records. This leads to total compromise of confidentiality, integrity, and availability of the system [1].

Mitigation

As of the publication date (2026-05-19), no patched version or official fix has been released. The maintainer has not tagged any releases or provided a version number beyond 0.0.0. The only mitigation is to restrict network access to the application (e.g., via firewall rules or a VPN) until a fix is deployed. The vendor should implement authentication middleware on all critical endpoints and validate the role parameter during registration to prevent self-assignment of elevated privileges [1].