BookCars CVE-2026-36720
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionCVE.org
Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type.
AnalysisAI
Privilege escalation in BookCars v8.3 allows authenticated low-privileged users to elevate themselves to administrator by modifying their own user type attribute, due to missing server-side authorization checks. The flaw is documented in a public GitHub vulnerability writeup but is not listed in CISA KEV, and no public weaponized exploit has been catalogued at time of analysis. CVSS 8.1 reflects high confidentiality and integrity impact achievable over the network with only a standard user account.
Technical ContextAI
BookCars is an open-source car rental booking platform (typically Node.js/MongoDB-based) that distinguishes between regular users and administrators via a user-type/role attribute stored on the user record. CWE-284 (Improper Access Control) applies because the application accepts client-supplied modifications to the user-type field on its profile or user-management endpoint without verifying that the caller holds administrator privileges, effectively trusting the role field as user-controllable data. The provided CPE entry (cpe:2.3:a:n/a:n/a) is a placeholder and contributes no additional vendor/product mapping, so identification relies on the description and the linked GitHub writeup naming BookCars v8.3.
RemediationAI
No vendor-released patch identified at time of analysis; operators should monitor the upstream BookCars repository for a fixed release addressing CVE-2026-36720 and apply it as soon as published. As compensating controls, enforce server-side authorization on every user-update endpoint so that the user-type/role field can only be modified by an authenticated administrator (strip or ignore the field on self-update requests), audit existing user accounts for unexpected admin role assignments, and place the administrative interface behind network restrictions or a reverse proxy that requires an additional factor - noting that admin-IP allowlisting can break legitimate remote management and self-service profile editing may still expose other mass-assignment bugs if the underlying ORM uses blanket object binding. The reference writeup at https://github.com/CC-T-454455/Vulnerabilities/tree/master/bookcars/vulnerability-3 should be reviewed to identify the exact request shape to block at a WAF until a code fix is deployed.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today