Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW School Education vw-school-education allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW School Education: from n/a through <= 1.4.6.
AnalysisAI
Improper access control in VW School Education through version 1.4.6 allows unauthenticated remote attackers to modify data by exploiting misconfigured security levels. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting educational institutions using affected versions.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control flaw where the application fails to verify that users have explicit permission to perform sensitive operations. The vowelweb VW School Education platform, designed for educational institution management, implements inadequate authorization checks at the application layer. Rather than a cryptographic or protocol-level weakness, this is a business logic vulnerability where access control decisions are either omitted entirely or based on insufficient identity validation. The vulnerability affects the application's ability to enforce role-based or attribute-based access control, allowing attackers to bypass intended security boundaries through direct API calls or web requests without authentication credentials.
RemediationAI
The primary remediation is to upgrade vowelweb VW School Education to a version beyond 1.4.6 as soon as a patched version is made available by the vendor. Users should check the official vowelweb website and security advisories for the specific patch version number and apply it immediately. As an interim mitigation while awaiting patches, implement network-level access controls by restricting access to the VW School Education application to trusted IP ranges (such as school networks or VPN-only access), disable or restrict anonymous/unauthenticated API endpoints, enforce strong authentication for all user accounts, and conduct an access control audit to identify any unauthorized data modifications that may have already occurred. Additionally, implement detailed application logging and monitoring to detect suspicious data modification attempts, and consider deploying a Web Application Firewall (WAF) configured to block requests that attempt to access resources without proper authorization headers.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11980