Skip to main content

CafePlus CVE-2026-10711

| EUVDEUVD-2026-38426 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-23 TR-CERT GHSA-72hx-6mcj-jmr2
8.8
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Adjacent-network reachable, no auth or interaction, low complexity, and missing ACL on a critical function yields full C/I/A impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 14:17 EUVD
Analysis Generated
Jun 23, 2026 - 13:00 vuln.today

DescriptionCVE.org

Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects CafePlus: from 12.05.03 before 12.05.04.

AnalysisAI

Missing authentication in AKIN Software's CafePlus versions 12.05.03 through 12.05.04 allows adjacent-network attackers to access privileged functionality without credentials. The flaw enables full compromise of confidentiality, integrity, and availability over an adjacent network vector, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join target LAN/Wi-Fi
Delivery
Discover CafePlus service
Exploit
Invoke unauthenticated critical function
Execution
Bypass ACL checks
Persist
Read or modify POS data
Impact
Disrupt cafe operations

Vulnerability AssessmentAI

Exploitation Attacker must be on a network adjacent to the CafePlus server (AV:A) - typically the same LAN, VLAN, or Wi-Fi segment as the POS deployment - and the target must be running CafePlus version 12.05.03. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is meaningful but bounded by the adjacent-network attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who joins the same local network as a CafePlus server - for example, by connecting to a cafe's guest Wi-Fi - sends a request to a critical CafePlus function that fails to enforce authentication, gaining the ability to read or alter transactional data, inject commands, or disrupt service. No special tooling or credentials are required and the attack complexity is low, though no public exploit code is identified at time of analysis.
Remediation Upgrade CafePlus to version 12.05.04 or later, which the advisory metadata indicates is the fixed release; confirm availability and patch notes via the vendor through the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0428. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running CafePlus 12.05.03-12.05.04; implement immediate network segmentation and firewall rules to restrict adjacent network access to these systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy