Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable IDOR requiring only an authenticated low-privilege session; confidentiality-only impact with no integrity or availability consequence.
Primary rating from Vendor (TR-CERT).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Authorization bypass through User-Controlled key vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows Exploitation of Trusted Identifiers.
This issue affects GisLab Laboratory Management System: from 1.4.03 through 08072026.
AnalysisAI
Authorization bypass in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows an authenticated low-privileged user to access confidential data belonging to other users by manipulating user-controlled identifier keys in requests. The flaw (CWE-639, IDOR class) exposes high-confidentiality data without requiring elevated privileges or user interaction, over the network. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated account in the GisLab Laboratory Management System (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is backed by a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable, low-complexity exploit requiring only a standard authenticated session - no elevated privileges and no victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privileged account in GisLab Laboratory Management System crafts HTTP requests substituting another user's record identifier in a parameter (e.g., changing a user ID or sample ID in a URL or POST body). Because the server authorizes based on the caller-supplied key rather than validating session ownership, the response returns the targeted user's confidential laboratory records. … |
| Remediation | Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0573 for vendor-released patch guidance, as an exact fixed version was not independently confirmed in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45204