Skip to main content

Vitals Esp CVE-2026-4639

| EUVDEUVD-2026-14740 HIGH
Incorrect Authorization (CWE-863)
2026-03-24 twcert GHSA-p89v-94g7-8vxf
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 15, 2026 - 16:37 NVD
8.8 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Mar 24, 2026 - 05:15 euvd
EUVD-2026-14740
Analysis Generated
Mar 24, 2026 - 05:15 vuln.today
CVE Published
Mar 24, 2026 - 04:17 nvd
HIGH 8.8

DescriptionCVE.org

Vitals ESP developed by Galaxy Software Services has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to perform certain administrative functions, thereby escalating privileges.

AnalysisAI

Vitals ESP, a healthcare software product developed by Galaxy Software Services, contains an incorrect authorization vulnerability that allows authenticated remote attackers with low-level privileges to escalate their access and perform administrative functions. The vulnerability has a CVSS score of 8.8 (High), indicating network-based exploitation with low attack complexity requiring only low-level authentication. No KEV listing or EPSS data is currently available, though Taiwan CERT (TWCERT) has published advisories on this issue.

Technical ContextAI

The vulnerability affects Vitals ESP (cpe:2.3:a:galaxy_software_services:vitals_esp:*:*:*:*:*:*:*:*), which appears to be an enterprise software platform likely used in healthcare environments based on the 'Vitals' naming convention and ESP (Enterprise Software Platform) designation. The root cause is classified as CWE-863 (Incorrect Authorization), meaning the application fails to properly verify whether an authenticated user has the necessary permissions to access restricted administrative functionality. This is distinct from authentication bypass (though tagged as such) - users must authenticate, but the authorization checks fail to enforce proper role separation between regular users and administrators, allowing horizontal or vertical privilege escalation once authenticated.

RemediationAI

Organizations using Vitals ESP should immediately consult the Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10794-704a2-1.html and https://www.twcert.org.tw/en/cp-139-10795-25784-2.html for vendor-specific patching guidance and version upgrade instructions. Contact Galaxy Software Services directly for patch availability and deployment timelines. As an interim mitigation measure until patching is completed, implement strict network segmentation to limit access to Vitals ESP only from trusted internal networks, disable or closely monitor low-privilege user accounts, enhance logging and monitoring for administrative function access to detect unauthorized privilege escalation attempts, and consider implementing additional authentication layers (such as multi-factor authentication) for all administrative operations if the platform supports such controls.

Share

CVE-2026-4639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy