Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts
AnalysisAI
An identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' account data, including email addresses, and subsequently hijack accounts through password reset flows. The vulnerability affects an unspecified product with a CVSS 8.6 severity rating, requires only low privileges to exploit over the network, and enables complete account takeover. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and the EPSS score is unavailable.
Technical ContextAI
This vulnerability represents an Insecure Direct Object Reference (IDOR) flaw, classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to properly verify that authenticated users can only access or modify their own account data. The vulnerability allows attackers to manipulate object references (likely user IDs or account identifiers) to access and modify other users' profiles. No specific CPE strings or affected products are identified in the available intelligence, suggesting this may be a placeholder CVE or the affected vendor has not been disclosed.
RemediationAI
Without identified affected products or vendor advisories, specific patching guidance cannot be provided for CVE-2026-3020. Organizations should implement general IDOR prevention controls including proper authorization checks that validate user permissions before allowing profile modifications, implementing secure session management, and adding rate limiting on sensitive account operations. Monitor authentication logs for suspicious account modification patterns and consider implementing additional verification steps for email changes and password resets.
More in Wakyma Application Web
View allA non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in t
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application at the endpoint 'vets.wakyma.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma web application's 'vets.wakyma.com/pets/print
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Wakyma veterinary web application at the endpoint 'vets.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12389