Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Fitness vw-fitness allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Fitness: from n/a through <= 4.3.4.
AnalysisAI
VW Fitness through version 4.3.4 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. An attacker can exploit this to perform unauthorized actions without requiring authentication or user interaction. No patch is currently available for affected installations.
Technical ContextAI
This vulnerability stems from improper implementation of access control mechanisms in the VW Fitness web application (CPE identifier: cpe:2.3:a:vowelweb:vw_fitness). CWE-862 (Missing Authorization) indicates that the application fails to enforce authorization checks before allowing sensitive operations, meaning certain API endpoints or functions do not verify whether the requesting user has permission to perform the requested action. The affected versions through 4.3.4 contain security-level configurations that are either misconfigured by default or improperly validated at runtime. The network attack vector (AV:N) indicates the flaw can be exploited directly over the network without requiring local access, and the low attack complexity (AC:L) means no special conditions or techniques are required beyond standard HTTP requests.
RemediationAI
Immediately upgrade vowelweb VW Fitness to a version newer than 4.3.4 (consult vendor documentation for the first patched release, typically 4.3.5 or 4.4.0). If immediate patching is not feasible, implement network-level access controls by restricting access to the VW Fitness application endpoints to trusted IP ranges only, disabling unauthenticated API access where possible, and implementing a Web Application Firewall (WAF) rule set to require valid authentication tokens on all sensitive endpoints. Additionally, conduct an access control audit of the application configuration to identify any incorrectly configured security levels and manually enforce proper role-based access control (RBAC) at the application configuration level until a patched version is deployed.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11971