Skip to main content

WriteUp Mobile App CVE-2026-5228

| EUVDEUVD-2026-34283 HIGH
Improper Access Control (CWE-284)
2026-06-04 TR-CERT GHSA-q2v7-xv64-8j7v
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 16:16 vuln.today

DescriptionCVE.org

Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.

AnalysisAI

Authorization bypass in Kurt Software Studio WriteUp Mobile App versions 1.3.0 through 04062026 allows authenticated users to access functionality outside their permitted scope, leading to high confidentiality, integrity, and availability impact. The flaw, reported by Turkey's national CERT (TR-CERT), stems from missing ACL enforcement on application functions reachable over the network with low privileges. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-284 (Improper Access Control) / Missing Authorization defect in the WriteUp mobile application stack, identified by CPE cpe:2.3:a:kurt_software_studio:writeup_mobile_app. Mobile apps of this class typically front a backend API that must enforce per-user or per-role authorization on every endpoint; this CVE indicates the application exposes one or more functions that perform privileged actions without verifying that the requesting principal is entitled to invoke them. Because the CVSS scope is Unchanged but confidentiality, integrity, and availability are all High, the missing checks likely guard operations that read, modify, or destroy data belonging to other users within the same application boundary.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0310 for the current fix release from Kurt Software Studio and upgrade beyond the 04062026 build once published. Until a fixed version is available, compensating controls should focus on the server-side API rather than the mobile client: enforce per-object authorization checks at the API gateway or backend, restrict sensitive endpoints to trusted networks or VPN access (accepting that this breaks general mobile use), revoke or rotate session tokens for any account suspected of probing other users' resources, and add detection rules for users issuing requests with IDs or references they do not own. Disabling the mobile app entirely is the only client-side mitigation and will block legitimate use, so it is only appropriate for high-sensitivity tenants.

Share

CVE-2026-5228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy