Skip to main content

Next Saas Stripe Starter CVE-2026-4548

| EUVDEUVD-2026-14306 MEDIUM
Improper Authorization (CWE-285)
2026-03-22 VulDB GHSA-8fh2-hm78-4frg
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 24, 2026 - 16:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Mar 22, 2026 - 13:30 euvd
EUVD-2026-14306
Analysis Generated
Mar 22, 2026 - 13:30 vuln.today
CVE Published
Mar 22, 2026 - 13:02 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affected by this vulnerability is the function updateUserrole of the file actions/update-user-role.ts. The manipulation of the argument userId/role results in improper authorization. The attack may be launched remotely.

AnalysisAI

Improper authorization in mickasmt next-saas-stripe-starter 1.0.0 allows authenticated users to manipulate userId and role parameters in the updateUserRole function, enabling unauthorized modification of user permissions. An attacker with valid credentials can exploit this vulnerability remotely to escalate privileges or modify other users' roles. No patch is currently available.

Technical ContextAI

The vulnerability resides in a Next.js server action (actions/update-user-role.ts) commonly used in SaaS applications for role-based access control (RBAC) modifications. Next-saas-stripe-starter is a TypeScript-based starter template integrating Stripe payment processing with user management, typically deployed in Node.js/Vercel environments. The root cause is classified under CWE-285 (Improper Authorization), specifically an insufficient authorization check where user input (userId and role parameters) is not properly validated against the requester's permissions before execution. The function likely fails to verify that the authenticated user has administrative privileges or authorization to modify roles for the target user, allowing horizontal or vertical privilege escalation through direct parameter manipulation.

RemediationAI

Immediately upgrade next-saas-stripe-starter to a patched version if the maintainer has released one, or apply a manual security patch to actions/update-user-role.ts that enforces proper authorization checks before role modifications (verify the authenticated user is an administrator and has explicit permission to modify the target user's role). As a compensating control pending patch availability, implement server-side middleware that restricts the updateUserRole action to users with administrative roles via middleware enforcement in your Next.js configuration, and audit all recent role modification logs for unauthorized changes. Review and restrict API endpoint access to the role update function through network controls and request signing mechanisms if operating in a critical environment. Monitor the official next-saas-stripe-starter GitHub repository (https://github.com/mickasmt/next-saas-stripe-starter/releases) for security updates and consider contributing a fix upstream if you identify the precise authorization logic flaw.

Share

CVE-2026-4548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy