Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.
AnalysisAI
Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.
Technical ContextAI
This vulnerability stems from CWE-284 (Improper Access Control) manifesting as an IDOR pattern where the '/minerva/user/updateUserProfile' endpoint fails to validate that the authenticated user has authorization to modify the target user profile. The application likely accepts user identifiers (UIDs, email addresses, or database keys) as request parameters without server-side verification that the authenticated session corresponds to the target profile. The attack chain leverages a secondary endpoint '/webconnect/#/forgotPassword' that accepts the newly modified email address, allowing attackers to receive password reset tokens for victim accounts. This represents a classic horizontal privilege escalation vulnerability where users at the same privilege tier can manipulate each other's resources. The CVSS vector indicates network-accessible exploitation (AV:N) with low complexity (AC:L) and no user interaction required (UI:N), meaning automated scanning and exploitation are feasible once initial authentication is obtained.
RemediationAI
Immediate action: Contact MphRx vendor support to obtain patched version status or vendor advisory referenced at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva. No specific fix version confirmed in current intelligence. Compensating controls while awaiting patch: Implement server-side authorization checks in '/minerva/user/updateUserProfile' endpoint to verify authenticated session user ID matches target profile user ID before allowing modifications (trade-off: requires code change, may break legitimate admin functions if not scoped properly). Disable or restrict access to '/minerva/user/updateUserProfile' endpoint via web application firewall rules to only allow administrators (trade-off: prevents users from updating their own profiles). Monitor authentication logs for rapid sequences of profile updates followed by password reset requests as exploitation indicators. Enable multi-factor authentication on all accounts to reduce account takeover impact even if password reset is triggered (trade-off: deployment complexity, user friction). These workarounds do not eliminate the vulnerability and should be temporary pending vendor patch deployment.
Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain admini
Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sens
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26037