CVE-2026-9603
Description
A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing authorization vulnerability in SourceCodester eDoc Doctor Appointment System 1.0 allows unauthenticated attackers to delete appointment records via the /admin/delete-session.php endpoint.
Vulnerability
The vulnerability resides in the /admin/delete-session.php endpoint of SourceCodester eDoc Doctor Appointment System version 1.0. The endpoint fails to validate user authorization before processing requests, allowing manipulation of the ID parameter to delete appointment or session records. This is classified as CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization) [3].
Exploitation
An attacker with network access to the application can exploit this vulnerability without authentication. By sending a crafted HTTP request to /admin/delete-session.php with a target ID parameter, the attacker can delete arbitrary records. A public proof-of-concept exploit script is available [1]. No user interaction or special privileges are required.
Impact
Successful exploitation allows an unauthenticated attacker to delete appointment and session records, leading to a loss of data integrity and availability. The CVSS v3.1 score is 6.5 (Medium) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L [3]. No confidential information is disclosed.
Mitigation
As of the publication date, no patched version has been released. The vendor (SourceCodester) has not provided an official fix. Administrators should implement strict authentication and authorization checks for administrative endpoints, validate user roles before delete operations, restrict direct access to sensitive functionality, and consider using centralized access control middleware as recommended in the advisory [3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in /admin/delete-session.php allows unauthenticated deletion of appointment/session records."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP request to the /admin/delete-session.php endpoint with a manipulated `id` parameter [ref_id=1]. The endpoint does not validate the user's identity or role before processing the delete operation, so no authentication token or session is required [ref_id=1]. Because the application runs over HTTP and the endpoint is reachable without any privilege, any attacker on the network can delete arbitrary appointment/session records [ref_id=1].
Affected code
The vulnerable endpoint is /admin/delete-session.php in SourceCodester eDoc Doctor Appointment System 1.0 [ref_id=1]. The advisory does not specify the exact PHP function or line, but the file fails to enforce any authorization check before processing the `id` parameter.
What the fix does
No patch has been published by the vendor. The advisory recommends enforcing authentication and authorization checks on all administrative endpoints, validating user roles before processing delete operations, restricting direct access to sensitive administrative functionality, and implementing centralized access control middleware [ref_id=1]. Until a fix is applied, the endpoint remains accessible to any unauthenticated remote attacker.
Preconditions
- networkAttacker must have network access to the web server hosting the eDoc Doctor Appointment System.
- inputAttacker must be able to supply an arbitrary id parameter to /admin/delete-session.php.
Reproduction
The advisory states that a proof-of-concept is included in the repository at https://github.com/NARKHEDE-VAIBHAV/poc/blob/main/CVE-2026-9603-Missing-Authorization/Advisory.md, but the reproduction steps are not documented in the provided bundle beyond describing that an unauthenticated request to /admin/delete-session.php with a manipulated id parameter deletes records [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.