Skip to main content

kvf-admin CVE-2026-38807

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-27 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 16:22 vuln.today
CVSS changed
May 28, 2026 - 16:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 27, 2026 - 18:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component

AnalysisAI

Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.

Technical ContextAI

kvf-admin is a Java-based administrative backend framework (consistent with the 'Java' tag) that exposes user management functionality through Spring-style MVC controllers, specifically UserController.java. The underlying weakness is CWE-639, Authorization Bypass Through User-Controlled Key, meaning the controller trusts a user-supplied identifier (such as a userId or role parameter) when performing user operations without verifying that the requesting principal is authorized to act on that target object. Because the affected component handles user records, the missing object-level authorization check enables an authenticated low-privilege user to manipulate or assume the identity/role of higher-privileged accounts. No CPE strings were published in the intelligence provided, so affected component coverage is limited to the vendor's stated version 1.0.0.

Affected ProductsAI

The advisory names kvf-admin version 1.0.0 as affected, with the vulnerability located in the UserController.java component of the user management module. No CPE strings were published with this CVE, and no official vendor advisory URL is provided in the intelligence set; the only reference is a third-party proof-of-concept report at https://github.com/cagexunxi/CVE/issues/1, which should be reviewed for exact build identifiers. Later versions of kvf-admin are not explicitly confirmed vulnerable or fixed from the available data.

RemediationAI

No vendor-released patch identified at time of analysis - the only public reference is the researcher write-up at https://github.com/cagexunxi/CVE/issues/1, which should be monitored along with the upstream kvf-admin repository for a tagged 1.0.1+ release or commit addressing UserController.java authorization checks. In the interim, restrict network access to the kvf-admin management interface to trusted administrative networks or via VPN/zero-trust gateway (trade-off: blocks legitimate remote admins until allowlisted), tighten account provisioning so that low-privilege accounts cannot be created or self-registered (trade-off: may break onboarding workflows), and add a reverse-proxy or WAF rule that strips or rejects unexpected userId/role parameters on requests targeting the UserController endpoints (trade-off: may break legitimate admin actions that legitimately reference other users by ID, requiring per-endpoint tuning). Audit existing user and role tables for unauthorized privilege grants made prior to mitigation.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-38807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy