Skip to main content

Paymenter CVE-2026-44585

MEDIUM
Missing Authorization (CWE-862)
2026-06-22 https://github.com/Paymenter/Paymenter GHSA-x93q-x9pc-w5hw
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Requires authenticated customer session (PR:L) and trivial HTTP parameter substitution (AC:L); no direct data retrieval caps confidentiality and integrity at Low, with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 20:51 vuln.today
Analysis Generated
Jun 22, 2026 - 20:51 vuln.today

DescriptionGitHub Advisory

Summary

The ticket creation endpoint accepts a user-supplied service identifier without enforcing ownership validation, allowing authenticated users to create support tickets referencing services belonging to other accounts by modifying the service ID in the request.

Technical Details

The ticket creation endpoint accepted a user-supplied service identifier without verifying ownership or authorization against the authenticated account. An attacker could modify the service ID value in the client-side request and successfully create a ticket associated with another user's service.

The vulnerability required authentication and did not provide direct access to service contents or customer data. However, referenced service information could become visible to support personnel handling the ticket.

Impact

Successful exploitation could allow an authenticated user to:

  • Create support tickets referencing services belonging to other users
  • Potentially cause support staff to interact with or review unrelated customer services

The vulnerability did not allow:

  • Direct access to another user's service
  • Modification of another user's service
  • Retrieval of confidential service data through the vulnerable endpoint itself

AnalysisAI

Broken object level authorization (BOLA) in Paymenter's ticket creation endpoint allows any authenticated customer to reference another account's service by substituting the service ID in the HTTP request, causing support personnel to inadvertently review that third-party service. The flaw affects all Paymenter installations running versions prior to 1.5.0 (pkg:composer/paymenter/paymenter). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Log in with valid customer credentials
Delivery
Initiate ticket creation and intercept HTTP request
Exploit
Substitute own service_id with enumerated victim service_id
Execution
Submit modified POST request
Persist
Server creates ticket referencing victim service
Impact
Support staff reviews victim's service details

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated customer account on the target Paymenter instance (PR:L per CVSS vector) - unauthenticated access is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.4 (Medium) is technically consistent with the described behavior: network-accessible (AV:N), low complexity (AC:L), low privilege required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and low confidentiality and integrity impacts (C:L/I:L) with no availability effect (A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Paymenter customer opens their own ticket creation form, intercepts the outbound HTTP POST request using a proxy tool such as Burp Suite, and replaces their own service_id parameter with the numeric ID of a service belonging to a different account. The server validates authentication but not service ownership, accepts the request, and creates a ticket referencing the victim's service. …
Remediation Upgrade Paymenter to version 1.5.0 or later, which is the vendor-confirmed fixed release per GHSA-x93q-x9pc-w5hw (https://github.com/Paymenter/Paymenter/security/advisories/GHSA-x93q-x9pc-w5hw). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy