kvf-admin CVE-2026-38807
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component
AnalysisAI
Privilege escalation in kvf-admin v1.0.0 allows authenticated remote attackers to elevate their privileges by abusing insecure permission checks within the UserController.java component. The flaw maps to CWE-639 (Authorization Bypass Through User-Controlled Key), and while publicly available exploit code exists per the referenced GitHub issue, EPSS is very low (0.04%, 13th percentile), indicating limited observed exploitation activity. No CISA KEV listing exists, so this is not confirmed actively exploited.
Technical ContextAI
kvf-admin is a Java-based administrative backend framework (consistent with the 'Java' tag) that exposes user management functionality through Spring-style MVC controllers, specifically UserController.java. The underlying weakness is CWE-639, Authorization Bypass Through User-Controlled Key, meaning the controller trusts a user-supplied identifier (such as a userId or role parameter) when performing user operations without verifying that the requesting principal is authorized to act on that target object. Because the affected component handles user records, the missing object-level authorization check enables an authenticated low-privilege user to manipulate or assume the identity/role of higher-privileged accounts. No CPE strings were published in the intelligence provided, so affected component coverage is limited to the vendor's stated version 1.0.0.
Affected ProductsAI
The advisory names kvf-admin version 1.0.0 as affected, with the vulnerability located in the UserController.java component of the user management module. No CPE strings were published with this CVE, and no official vendor advisory URL is provided in the intelligence set; the only reference is a third-party proof-of-concept report at https://github.com/cagexunxi/CVE/issues/1, which should be reviewed for exact build identifiers. Later versions of kvf-admin are not explicitly confirmed vulnerable or fixed from the available data.
RemediationAI
No vendor-released patch identified at time of analysis - the only public reference is the researcher write-up at https://github.com/cagexunxi/CVE/issues/1, which should be monitored along with the upstream kvf-admin repository for a tagged 1.0.1+ release or commit addressing UserController.java authorization checks. In the interim, restrict network access to the kvf-admin management interface to trusted administrative networks or via VPN/zero-trust gateway (trade-off: blocks legitimate remote admins until allowlisted), tighten account provisioning so that low-privilege accounts cannot be created or self-registered (trade-off: may break onboarding workflows), and add a reverse-proxy or WAF rule that strips or rejects unexpected userId/role parameters on requests targeting the UserController endpoints (trade-off: may break legitimate admin actions that legitimately reference other users by ID, requiring per-endpoint tuning). Audit existing user and role tables for unauthorized privilege grants made prior to mitigation.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today