Paymenter CVE-2026-44585
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Requires authenticated customer session (PR:L) and trivial HTTP parameter substitution (AC:L); no direct data retrieval caps confidentiality and integrity at Low, with no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The ticket creation endpoint accepts a user-supplied service identifier without enforcing ownership validation, allowing authenticated users to create support tickets referencing services belonging to other accounts by modifying the service ID in the request.
Technical Details
The ticket creation endpoint accepted a user-supplied service identifier without verifying ownership or authorization against the authenticated account. An attacker could modify the service ID value in the client-side request and successfully create a ticket associated with another user's service.
The vulnerability required authentication and did not provide direct access to service contents or customer data. However, referenced service information could become visible to support personnel handling the ticket.
Impact
Successful exploitation could allow an authenticated user to:
- Create support tickets referencing services belonging to other users
- Potentially cause support staff to interact with or review unrelated customer services
The vulnerability did not allow:
- Direct access to another user's service
- Modification of another user's service
- Retrieval of confidential service data through the vulnerable endpoint itself
AnalysisAI
Broken object level authorization (BOLA) in Paymenter's ticket creation endpoint allows any authenticated customer to reference another account's service by substituting the service ID in the HTTP request, causing support personnel to inadvertently review that third-party service. The flaw affects all Paymenter installations running versions prior to 1.5.0 (pkg:composer/paymenter/paymenter). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated customer account on the target Paymenter instance (PR:L per CVSS vector) - unauthenticated access is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.4 (Medium) is technically consistent with the described behavior: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and low confidentiality and integrity impacts (C:L/I:L) with no availability effect (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Paymenter customer opens their own ticket creation form, intercepts the outbound HTTP POST request using a proxy tool such as Burp Suite, and replaces their own service_id parameter with the numeric ID of a service belonging to a different account. The server validates authentication but not service ownership, accepts the request, and creates a ticket referencing the victim's service. … |
| Remediation | Upgrade Paymenter to version 1.5.0 or later, which is the vendor-confirmed fixed release per GHSA-x93q-x9pc-w5hw (https://github.com/Paymenter/Paymenter/security/advisories/GHSA-x93q-x9pc-w5hw). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x93q-x9pc-w5hw