Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Education Lite vw-education-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Education Lite: from n/a through <= 2.2.0.
AnalysisAI
VW Education Lite versions 2.2.0 and earlier contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. An attacker with network access can exploit this vulnerability without requiring authentication or user interaction to perform unauthorized modifications, resulting in integrity compromise but not confidentiality or availability impact. The CVSS 5.3 medium score reflects the network-accessible nature and lack of authentication requirements, though the integrity-only impact limits the overall severity.
Technical ContextAI
This vulnerability represents a failure in access control implementation within the vowelweb VW Education Lite application, classified under CWE-862 (Missing Authorization). The root cause involves security levels that are either not properly enforced or incorrectly configured at the application layer, allowing requests that should be denied to proceed with modification capabilities. This type of vulnerability typically occurs when role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms fail to validate user permissions before processing state-changing operations, or when default permissions are overly permissive. The affected product is identified through the vendor vowelweb and application name vw-education-lite, affecting versions through 2.2.0 where authorization checks are apparently missing from critical endpoints.
RemediationAI
Upgrade VW Education Lite to a patched version beyond 2.2.0 as soon as it becomes available from vowelweb. Contact the vendor directly or monitor their official security advisory channels for release of version 2.2.1 or later containing the authorization fix. As an interim mitigation while awaiting patches, implement network-level access controls to restrict unauthenticated access to the VW Education Lite application, deploy a Web Application Firewall (WAF) configured to block requests attempting state-modifying operations without proper authorization tokens, and review application logs for evidence of unauthorized modification attempts. Additionally, implement role-based access control enforcement at the application layer to ensure all endpoints validate user permissions before processing requests, and consider running VW Education Lite in an isolated network segment accessible only to authenticated and trusted users.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11959