Skip to main content

Bank Management Springboot CVE-2026-11521

| EUVD-2026-35075 LOW
Improper Authorization (CWE-285)
2026-06-08 VulDB GHSA-4vv9-c3hj-rh83
Authentication Bypass Java
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 08, 2026 - 15:37 NVD
MEDIUM LOW
CVSS changed
Jun 08, 2026 - 15:37 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 08, 2026 - 14:52 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the component Transaction Endpoint. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Improper authorization in Mohammed-eid35's bank-management-system-springboot exposes the Transaction Endpoint to low-privileged authenticated remote attackers, enabling unauthorized access to or manipulation of financial transaction records belonging to other users. All versions up to commit 7b9bcc65ad7df3db29af71aed9bb500e5f24d948 are affected, with publicly available exploit code disclosed via GitHub issue #8. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege application account
Delivery
Send crafted HTTP request to Transaction Endpoint
Exploit
Supply manipulated resource identifier in request
Execution
Bypass ownership authorization check in TransactionController.java
Impact
Access or modify victim user's transaction data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The CVSS vector PR:L confirms that a low-privilege authenticated account on the target application is required - unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.3 (Medium) reflects network reachability (AV:N), low attack complexity (AC:L), low-privilege authentication required (PR:L), no user interaction (UI:N), and partial impacts across confidentiality, integrity, and availability (C:L/I:L/A:L/S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privileged customer account on the target application, then sends a crafted HTTP request to the Transaction Endpoint substituting another user's transaction or account identifier in the request parameters - the server processes the request without validating that the authenticated user owns the referenced resource. A publicly available proof-of-concept documented in GitHub issue #8 demonstrates this technique, lowering the technical bar significantly. …
Remediation No vendor-released patch has been identified at time of analysis - the project maintainer has not responded to the responsible disclosure submitted via GitHub issue, and RL:X in the CVSS temporal vector confirms no remediation level is defined. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-11521 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy