Skip to main content

Minerva CVE-2026-5779

| EUVDEUVD-2026-26037 CRITICAL
Improper Access Control (CWE-284)
2026-04-28 cve-coordination@incibe.es
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 13:30 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 13:22 euvd
EUVD-2026-26037
Analysis Generated
Apr 28, 2026 - 13:22 vuln.today
CVE Published
Apr 28, 2026 - 13:19 nvd
CRITICAL 9.4

DescriptionCVE.org

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.

AnalysisAI

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to modify arbitrary user profiles via the '/minerva/user/updateUserProfile' endpoint, enabling account takeover by changing victim email addresses and triggering password reset flows. Reported by INCIBE-CERT with authentication bypass tags, indicating likely real-world discovery during security assessment. CVSS 9.4 reflects high confidentiality, integrity, and scope impacts (VC:H/VI:H/SC:H/SI:H), though the PR:L requirement (low-privileged authenticated access) limits initial attack surface to users with valid credentials.

Technical ContextAI

This vulnerability stems from CWE-284 (Improper Access Control) manifesting as an IDOR pattern where the '/minerva/user/updateUserProfile' endpoint fails to validate that the authenticated user has authorization to modify the target user profile. The application likely accepts user identifiers (UIDs, email addresses, or database keys) as request parameters without server-side verification that the authenticated session corresponds to the target profile. The attack chain leverages a secondary endpoint '/webconnect/#/forgotPassword' that accepts the newly modified email address, allowing attackers to receive password reset tokens for victim accounts. This represents a classic horizontal privilege escalation vulnerability where users at the same privilege tier can manipulate each other's resources. The CVSS vector indicates network-accessible exploitation (AV:N) with low complexity (AC:L) and no user interaction required (UI:N), meaning automated scanning and exploitation are feasible once initial authentication is obtained.

RemediationAI

Immediate action: Contact MphRx vendor support to obtain patched version status or vendor advisory referenced at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva. No specific fix version confirmed in current intelligence. Compensating controls while awaiting patch: Implement server-side authorization checks in '/minerva/user/updateUserProfile' endpoint to verify authenticated session user ID matches target profile user ID before allowing modifications (trade-off: requires code change, may break legitimate admin functions if not scoped properly). Disable or restrict access to '/minerva/user/updateUserProfile' endpoint via web application firewall rules to only allow administrators (trade-off: prevents users from updating their own profiles). Monitor authentication logs for rapid sequences of profile updates followed by password reset requests as exploitation indicators. Enable multi-factor authentication on all accounts to reduce account takeover impact even if password reset is triggered (trade-off: deployment complexity, user friction). These workarounds do not eliminate the vulnerability and should be temporary pending vendor patch deployment.

Share

CVE-2026-5779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy