Skip to main content

Innoshop CVE-2026-39250

| EUVDEUVD-2026-30979 HIGH
Improper Access Control (CWE-284)
2026-05-19 mitre GHSA-4r28-v8q3-c59w
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 14:23 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 19, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

AnalysisAI

Authorization bypass in Innoshop 0.6.0 allows authenticated frontend users to directly invoke backend administrative interfaces, enabling privileged operations outside their intended scope. The CVSS 7.3 score reflects low-impact gains across confidentiality, integrity, and availability achievable without prior authentication to the admin panel. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.02% (5th percentile), indicating minimal observed attacker interest so far.

Technical ContextAI

Innoshop is an open-source e-commerce platform (per vendor site innoshop.com) that separates a customer-facing frontend from an administrative backend. The vulnerability is classified as CWE-284 (Improper Access Control), meaning backend endpoints fail to enforce role or privilege checks beyond verifying that the requester holds a valid frontend session token. In a correctly designed multi-tier application, backend administrative routes should validate both authentication AND authorization (role/permission scope), but here the latter check is missing or insufficient, allowing any logged-in shopper-level account to reach admin functionality.

RemediationAI

No vendor-released patch identified at time of analysis; no fix version is cited in the references (which include only the vendor homepage, a public gist at https://gist.github.com/hkdmh/4af513ea7589212cb1d49bc5d972972e, the NVD advisory, and VulDB entry https://vuldb.com/vuln/364714). Operators of Innoshop 0.6.0 should monitor https://www.innoshop.com/ and the project's GitHub for an upcoming release and upgrade as soon as it is published. As compensating controls until a patch ships, place the admin backend behind a separate network boundary or reverse-proxy ACL that restricts access by source IP to admin staff networks (side effect: legitimate admins working remotely need VPN); add a WAF or proxy rule that blocks frontend-session cookies from reaching admin route prefixes (side effect: must be tuned per Innoshop's URL scheme to avoid breaking shared assets); and disable or restrict new customer self-registration to shrink the attacker pool able to obtain the required frontend login.

Share

CVE-2026-39250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy