Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).
AnalysisAI
Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.
Technical ContextAI
This vulnerability exploits CWE-639 (Authorization Bypass Through User-Controlled Key), a classic insecure direct object reference where sequential or predictable identifiers in REST API endpoints allow horizontal privilege escalation. The Fullstep V5 supplier registration module fails to validate that authenticated users can only access their own resource identifiers. The vulnerable endpoints use URL path parameters to specify user/supplier IDs without server-side authorization checks. Attackers manipulate the ID values in '/api/suppliers/v1/suppliers/{ID}/false' (GET for enumeration) and '/#/supplier-registration/supplier-registration/{ID}/2' (POST/PUT for modification) to traverse through other users' data. This is a authorization logic flaw rather than authentication bypass - users must authenticate, but the application trusts client-supplied object references without verifying ownership. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L) indicates network-accessible exploitation with low complexity once low-privilege authentication is achieved, with attack requirements present but not extensive.
RemediationAI
Apply vendor-released patch immediately per INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep. The advisory indicates patches are available directly from Fullstep for these multiple vulnerabilities. Until patching is complete, implement compensating controls: enforce server-side authorization checks that validate authenticated user identity matches the requested resource owner before returning or modifying supplier data; implement indirect object references using session-bound tokens or UUIDs instead of sequential IDs in API paths; deploy API gateway rules to log and alert on rapid sequential ID enumeration attempts (indicative of IDOR exploitation); restrict supplier registration API access to minimum necessary user roles; enable detailed audit logging on /api/suppliers/v1/suppliers/ and supplier-registration endpoints to detect unauthorized access patterns. Note that frontend-only restrictions are insufficient - attackers can bypass them with direct API calls. Review access logs for the vulnerable endpoints to identify potential historical exploitation before patch deployment. Organizations unable to patch immediately should consider temporarily disabling supplier registration functionality if business operations permit, though this significantly impacts procurement workflows.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24746
GHSA-27hq-xp89-25mq