GCVE-1-2026-0014
Vulnerability from gna-1 – Published: 2026-02-04 19:32 – Updated: 2026-02-04 19:32
VLAI?
Title
Missing Authorization Check Allows Unauthorized Modification of Vulnerability Disclosure Reports
Summary
A missing authorization check in the /disclosure/edit/<id> POST endpoint allows authenticated users to modify vulnerability disclosure reports submitted by other users. The endpoint did not verify that the authenticated user was the original reporter of the disclosure, resulting in an improper authorization vulnerability. An attacker with a valid account could exploit this issue to edit arbitrary vulnerability disclosure reports by submitting crafted requests. The issue was resolved by enforcing authentication and validating ownership of the disclosure before permitting modifications.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vulnerability-lookup | vulnerability-lookup |
Affected:
≤ 3.0
|
Credits
nyanbinary <@nyanbinary@infosec.exchange>
Cedric Bonhomme
Claude Sonnet 4.5 <noreply@anthropic.com>
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "vulnerability-lookup",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nyanbinary \u003c@nyanbinary@infosec.exchange\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
},
{
"lang": "en",
"type": "other",
"value": "Claude Sonnet 4.5 \u003cnoreply@anthropic.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A missing authorization check in the \u003ccode\u003e/disclosure/edit/\u0026lt;id\u0026gt;\u003c/code\u003e POST endpoint allows authenticated users to modify vulnerability disclosure reports submitted by other users. The endpoint did not verify that the authenticated user was the original reporter of the disclosure, resulting in an improper authorization vulnerability. An attacker with a valid account could exploit this issue to edit arbitrary vulnerability disclosure reports by submitting crafted requests. The issue was resolved by enforcing authentication and validating ownership of the disclosure before permitting modifications.\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A missing authorization check in the /disclosure/edit/\u003cid\u003e POST endpoint allows authenticated users to modify vulnerability disclosure reports submitted by other users. The endpoint did not verify that the authenticated user was the original reporter of the disclosure, resulting in an improper authorization vulnerability. An attacker with a valid account could exploit this issue to edit arbitrary vulnerability disclosure reports by submitting crafted requests. The issue was resolved by enforcing authentication and validating ownership of the disclosure before permitting modifications."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/1771b42ac05a833e2bf1d7743c6ad3d7e0d12920"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization Check Allows Unauthorized Modification of Vulnerability Disclosure Reports",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0014"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-04T19:32:14.341383Z",
"dateUpdated": "2026-02-04T19:32:14.341383Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0014",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-04T19:32:14.341383Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…