Skip to main content

BookCars CVE-2026-36720

HIGH
Improper Access Control (CWE-284)
2026-06-09 mitre
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 09, 2026 - 22:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 09, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 09, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 09, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 09, 2026 - 22:22 NVD
6.5 (MEDIUM) 8.1 (HIGH)
Analysis Generated
Jun 09, 2026 - 21:36 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type.

AnalysisAI

Privilege escalation in BookCars v8.3 allows authenticated low-privileged users to elevate themselves to administrator by modifying their own user type attribute, due to missing server-side authorization checks. The flaw is documented in a public GitHub vulnerability writeup but is not listed in CISA KEV, and no public weaponized exploit has been catalogued at time of analysis. CVSS 8.1 reflects high confidentiality and integrity impact achievable over the network with only a standard user account.

Technical ContextAI

BookCars is an open-source car rental booking platform (typically Node.js/MongoDB-based) that distinguishes between regular users and administrators via a user-type/role attribute stored on the user record. CWE-284 (Improper Access Control) applies because the application accepts client-supplied modifications to the user-type field on its profile or user-management endpoint without verifying that the caller holds administrator privileges, effectively trusting the role field as user-controllable data. The provided CPE entry (cpe:2.3:a:n/a:n/a) is a placeholder and contributes no additional vendor/product mapping, so identification relies on the description and the linked GitHub writeup naming BookCars v8.3.

RemediationAI

No vendor-released patch identified at time of analysis; operators should monitor the upstream BookCars repository for a fixed release addressing CVE-2026-36720 and apply it as soon as published. As compensating controls, enforce server-side authorization on every user-update endpoint so that the user-type/role field can only be modified by an authenticated administrator (strip or ignore the field on self-update requests), audit existing user accounts for unexpected admin role assignments, and place the administrative interface behind network restrictions or a reverse proxy that requires an additional factor - noting that admin-IP allowlisting can break legitimate remote management and self-service profile editing may still expose other mass-assignment bugs if the underlying ORM uses blanket object binding. The reference writeup at https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-3 should be reviewed to identify the exact request shape to block at a WAF until a code fix is deployed.

Share

CVE-2026-36720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy