CVE-2026-36721
Description
BookCars v8.3 has an authorization bypass vulnerability allowing attackers to gain unauthorized admin access by spoofing the Origin header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookCars v8.3 has an authorization bypass vulnerability allowing attackers to gain unauthorized admin access by spoofing the Origin header.
Vulnerability
BookCars versions up to and including v8.3 contain an authorization bypass vulnerability in the validateAccessToken function. The authentication middleware incorrectly uses the Origin header to determine required user roles for endpoint access, rather than validating the authenticated user's actual role from the database [1].
Exploitation
An authenticated attacker can exploit this vulnerability by spoofing the Origin header to match the value of the user frontend host. This causes the server to incorrectly apply regular user permission checks to admin-only endpoints, such as /api/users, granting unauthorized access to administrative functions [1].
Impact
Successful exploitation allows an attacker to bypass authorization checks and gain unauthorized access to sensitive administrative functions and data, effectively escalating their privileges from a regular user to an administrator [1].
Mitigation
Mitigations include implementing proper role-based access control (RBAC) by explicitly defining required roles at the endpoint level and validating the authenticated user's actual role from the database against the endpoint's required permissions. A fixed version is not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The authentication middleware incorrectly uses the Origin header to determine user role permissions."
Attack vector
An authenticated attacker can spoof the `Origin` header to match the user frontend host value. This causes the server to incorrectly apply regular user permission checks to admin-only endpoints, such as `/api/users`. As a result, the attacker gains unauthorized access to sensitive administrative functions [ref_id=1].
Affected code
The vulnerability lies within the authentication middleware located in `/backend/src/middlewares/authJwt.ts`. Specifically, the `isAdmin` and `isFrontend` functions in `/backend/src/utils/authHelper.ts` incorrectly rely on the `Origin` header to determine user roles. This logic is then applied when verifying tokens for various routes defined in `/backend/src/routes/userRoutes.ts` [ref_id=1].
What the fix does
The advisory recommends implementing proper role-based access control (RBAC) by explicitly defining required roles at the endpoint level, rather than inferring them from client-controlled headers. It also suggests validating the authenticated user's actual role from the database against the endpoint's required permissions. The patch is not available in the provided information.
Preconditions
- authThe attacker must be an authenticated user.
- networkThe attacker must be able to control the `Origin` header of the HTTP request.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.