Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Incorrect privilege assignment vulnerability in HYPR Server allows Privilege Escalation.This issue affects HYPR Server: from 10.5.1 before 10.7.
AnalysisAI
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
Technical ContextAI
This vulnerability is rooted in CWE-266 (Incorrect Privilege Assignment), which occurs when a system fails to properly enforce privilege boundaries during user role assignment or privilege escalation logic. The affected product is HYPR Server (cpe:2.3:a:hypr:server:*:*:*:*:*:*:*:*), an identity and access management platform. The flaw exists in the privilege assignment logic between versions 10.5.1 and 10.6.x, indicating a regression or improper validation of user permissions during role or capability assignment. The vulnerability likely stems from insufficient authorization checks in the privilege elevation code path, where the system fails to validate that a user should be permitted to assume elevated roles.
RemediationAI
Upgrade HYPR Server to version 10.7 or later immediately to remediate this vulnerability. The patch is available from HYPR and addresses the incorrect privilege assignment logic. Until patching can be completed, organizations should implement compensating controls by restricting administrative access to HYPR Server's privilege management functions to a minimal set of trusted administrators, enforcing multi-factor authentication for all administrative users, and implementing enhanced audit logging on privilege-related operations to detect suspicious elevation attempts. Access the official security advisory and patch downloads at https://www.hypr.com/trust-center/security-advisories.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15483
GHSA-gwp7-phfm-2677