Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.
AnalysisAI
Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated users with the shipping/receiving role to access truck dashboard resources beyond their assigned permissions, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects a specific version of the Kaleris Yard Management System (YMS). Public exploit code is available, and CISA has identified this as exploitable through their SSVC framework, though technical impact is limited to confidentiality breach without integrity or availability consequences.
Technical ContextAI
This vulnerability stems from inadequate role-based access control (RBAC) implementation in Kaleris YMS, a yard management platform. The root cause (CWE-284: Improper Access Control) indicates that the application fails to properly validate user permissions before granting access to truck dashboard resources. Authenticated users with the shipping/receiving role should have restricted visibility limited to their job functions; however, the access control mechanism does not enforce these boundaries. The vulnerability exists in network-accessible components of the YMS application and does not require elevated privileges or complex attack interactions to exploit, as confirmed by the CVSS vector (AV:N/AC:L/PR:L).
RemediationAI
Organizations should contact Kaleris directly or check their official advisory channels for a patched version addressing the access control defect. Until a vendor-released patch is available, implement compensating controls by auditing RBAC role assignments in YMS to ensure shipping/receiving users cannot access truck dashboard resources through the application interface, and restrict network access to the YMS dashboard to authorized personnel only. Consider implementing additional authentication factors (multi-factor authentication) for YMS access to reduce the attack surface to legitimate insiders. Apply the patch immediately upon release from Kaleris. The GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150 contains proof-of-concept code; review this to understand the exact exploitation path and validate remediation effectiveness. Refer to the NVD vulnerability detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31150) for updates from Kaleris regarding patch availability and timeline.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19269
GHSA-mpxj-x6rg-mghc