D View 8
CVE-2026-23754
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
AnalysisAI
D-Link D-View 8 versions 2.0.1.107 and below allow authenticated users to bypass access controls on backend API endpoints and retrieve credential data for arbitrary accounts, including administrators. An attacker can leverage exposed credentials to directly authenticate as any user and gain full administrative control over the D-View system. A patch is available to address this high-severity improper access control vulnerability.
Technical ContextAI
Classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Affects the backend API component of D-View 8. D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over th
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inve
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Li
D-Link D-View Use of Hard-coded Cryptographic Key Authentication Bypass Vulnerability. Rated critical severity (CVSS 9.8
D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability. Rated high severity (CVSS
D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability. Rated high se
D-Link D-View executeWmicCmd Command Injection Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this
D-Link D-View 8 installer versions 2.0.1.107 and below are vulnerable to DLL preloading attacks that execute with admini
Share
External POC / Exploit Code
Leaving vuln.today