Skip to main content

CVE-2026-31151

| EUVDEUVD-2026-19271 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-06 mitre GHSA-4wx7-2hfw-hhff
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 15:00 euvd
EUVD-2026-19271
Analysis Generated
Apr 06, 2026 - 15:00 vuln.today
CVE Published
Apr 06, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.

AnalysisAI

Authentication bypass in Kaleris Yard Management System (YMS) v7.2.2.1 enables unauthenticated remote attackers to completely circumvent login verification and gain unauthorized access to application resources with full confidentiality, integrity, and availability impact. The vulnerability has a 9.8 CVSS score with network-based attack vector requiring no privileges or user interaction. Currently tracked at 2% EPSS (5th percentile) with no confirmed active exploitation (not in CISA KEV), though a public proof-of-concept repository exists on GitHub, significantly elevating exploitation risk for this critical authentication flaw.

Technical ContextAI

This vulnerability represents a CWE-288 (Authentication Bypass Using an Alternate Path or Channel) flaw in the login mechanism of Kaleris Yard Management System, an enterprise logistics platform for managing yard operations, dock scheduling, and warehouse coordination. The authentication bypass likely allows attackers to circumvent normal credential verification through flawed authentication logic, improperly validated tokens, or unprotected alternate access paths. While specific CPE data is incomplete (cpe:2.3:a:n/a:n/a), the affected product is confirmed as Kaleris YMS version 7.2.2.1. Authentication bypass vulnerabilities of this severity class typically stem from missing authentication checks on critical endpoints, improper session management, or logical flaws in credential validation routines that permit direct access to protected resources without proper verification of user identity.

RemediationAI

Organizations running Kaleris YMS v7.2.2.1 should immediately contact Kaleris support for patch availability and upgrade guidance, as no specific patched version number is provided in current vulnerability data. Until a vendor-released patch is confirmed and deployed, implement emergency compensating controls including restricting network access to YMS interfaces through firewall rules limiting exposure to trusted IP ranges only, deploying web application firewall (WAF) rules to detect and block authentication bypass attempts, implementing additional authentication layers through reverse proxy with mandatory multi-factor authentication, and enabling comprehensive logging and monitoring of all access attempts to YMS resources for anomaly detection. Review the technical proof-of-concept at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 to understand specific attack vectors and tailor detection rules accordingly. Consult Kaleris directly through their support channels or the product page at https://kaleris.com/solutions/yard-management/ for official remediation guidance and patch release timelines. Given the critical nature and existence of public exploit code, this should be treated as an emergency-priority remediation with daily vendor communication until resolution.

Share

CVE-2026-31151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy