Skip to main content

OMICARD EDM CVE-2026-10597

| EUVDEUVD-2026-34196 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-04 twcert GHSA-vrwp-qqhw-75c3
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 04, 2026 - 03:22 NVD
5.3 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
Jun 04, 2026 - 02:44 vuln.today

DescriptionCVE.org

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address.

AnalysisAI

Insecure Direct Object Reference in ITPison's OMICARD EDM (an email marketing platform) enables unauthenticated remote attackers to manipulate a specific request parameter to retrieve arbitrary users' email addresses without authorization. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms fully remote, zero-authentication exploitation requiring no user interaction, though impact is bounded to low-level confidentiality loss with no integrity or availability consequence. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

OMICARD EDM is an email marketing and direct mail campaign management platform developed by ITPison, a Taiwanese software vendor. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key), a specific variant of Insecure Direct Object Reference where the application exposes internal data object identifiers - likely sequential user record IDs or account keys - directly in HTTP requests without enforcing server-side ownership or access control verification. An attacker who identifies the parameter can substitute arbitrary values to retrieve records belonging to other users. The CPE string cpe:2.3:a:itpison:omicard_edm:*:*:*:*:*:*:*:* uses a wildcard version field, indicating no specific version boundary has been defined in NVD - all known versions of the product are potentially in scope. The tag 'Authentication Bypass' in the intelligence data aligns with the PR:N CVSS vector, confirming the access control failure occurs at the pre-authentication layer.

RemediationAI

No exact patched version is identifiable from the available data - consult the TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10947-027a7-1.html and https://www.twcert.org.tw/en/cp-139-10948-78864-2.html for vendor-issued patch or upgrade guidance, and contact ITPison directly to confirm a fixed release. As a compensating control pending patching, configure a WAF rule to detect and block rapid sequential or enumerated requests against the vulnerable parameter endpoint, noting this may produce false positives if legitimate pagination uses the same parameter. Restrict external network access to the OMICARD EDM administrative or API interface to trusted IP ranges where operationally feasible, reducing the attack surface to internal actors only. Implement server-side session validation ensuring the authenticated user's identity is checked against the requested record owner before returning any data - this is the permanent architectural fix regardless of patch availability. Enable detailed API access logging and alert on anomalous parameter enumeration patterns as a detection measure.

Share

CVE-2026-10597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy