Skip to main content

MobilMen 20T CVE-2026-2398

| EUVDEUVD-2026-42959 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 TR-CERT GHSA-8jm8-xjp3-35hq
8.8
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable IDOR needing only a low-privileged account (PR:L) and no interaction; user-controlled key grants full cross-account read/write, so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 17:34 vuln.today

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation.

This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Privilege escalation in Adam Retail Automation's MobilMen 20T (versions v3 through build 10072026) lets an authenticated low-privileged user manipulate a user-controlled key (CWE-639) to access resources or actions belonging to other, higher-privileged accounts. The flaw carries CVSS 8.8 and was reported by Turkey's national CERT (TR-CERT), but no public exploit identified at time of analysis and it is not in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged account
Delivery
Locate request with user-controlled ID
Exploit
Tamper object/user key to target admin
Execution
Server skips ownership check
Persist
Execute action as higher-privileged user
Impact
Escalate access to sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on MobilMen 20T (CVSS PR:L - a valid low-privileged account is a prerequisite, obtainable via insider access, credential theft, or self-registration if enabled), reachable over the network (AV:N) with low attack complexity and no user interaction (AC:L/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent but incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or acquires a low-privileged MobilMen 20T account (for example a basic field-sales login) intercepts an application request and swaps the user- or object-identifier parameter for that of an administrator or another tenant. Because the server trusts the client-supplied key, the request executes with the target's privileges, granting the attacker elevated access to read, modify, or disrupt data. …
Remediation No vendor-released patch identified at time of analysis, and the vendor did not respond to disclosure, so a fixed version cannot be cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MobilMen 20T deployments and identify which staff have low-privilege account access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-2398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy