CVE-2026-31071
Description
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-31071: Unauthenticated remote attacker can dump user hashes, modify inventory, access patient data, and escalate to admin via unvalidated role assignment.
Vulnerability
CVE-2026-31071 affects LalanaChami Pharmacy Management System (commit 5c3d028). Two distinct flaws exist: (1) API endpoints such as /api/user/getUserData and /api/doctorOder lack authentication middleware, allowing unauthenticated remote access to user records (including bcrypt password hashes), drug inventory, and medical prescription data. (2) The /api/user/signup endpoint in backend/routes/user.js directly assigns the user-supplied role parameter from req.body.role to the new user without any server-side validation or whitelist, enabling unauthenticated privilege escalation [1]. The affected version is the latest master branch with commit 5c3d028c520628ece50f034900e0a98c07943d70; no versioned releases are provided [1].
Exploitation
An unauthenticated attacker can exploit either flaw remotely. For privilege escalation, the attacker sends a POST request to /api/user/signup with a JSON body containing "role":"admin"; the server creates a new user account with administrative privileges immediately [1]. For data access, the attacker sends a GET request to /api/user/getUserData to dump all user records (including bcrypt hashes) or to /api/doctorOder to access private medical prescription data, and can modify drug inventory via other unprotected endpoints. No authentication or user interaction is required [1].
Impact
Successful exploitation leads to full compromise of the system. An attacker gains administrative privileges, enabling unauthorized access to all user data (including password hashes), modification of drug inventory, and disclosure of private medical prescription data. The confidentiality, integrity, and availability of sensitive health information are at risk [1].
Mitigation
As of the publication date (2026-05-19), no official patch or versioned release has been provided by the vendor. The repository shows no tags or releases; the vulnerable code remains in the latest master commit (5c3d028c520628ece50f034900e0a98c07943d70) with version 0.0.0 [1]. Mitigations include: implement authentication middleware on all sensitive API endpoints, enforce server-side role validation (e.g., whitelist allowed roles) during signup, and restrict access to production deployments until a fix is available. Not listed on CISA KEV as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.