Skip to main content

MphRx Minerva CVE-2026-5780

| EUVDEUVD-2026-26038 HIGH
Improper Access Control (CWE-284)
2026-04-28 cve-coordination@incibe.es
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 13:30 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 13:22 euvd
EUVD-2026-26038
Analysis Generated
Apr 28, 2026 - 13:22 vuln.today
CVE Published
Apr 28, 2026 - 13:19 nvd
HIGH 8.5

DescriptionCVE.org

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an attacker to obtain a list of users.

AnalysisAI

Insecure direct object reference in MphRx Minerva V3.6.0 allows authenticated attackers to enumerate and exfiltrate sensitive user data across the entire application by manipulating user IDs in the '/minerva/moUser/show/' endpoint. The CVSS 4.0 score of 8.5 reflects high confidentiality impact to both vulnerable (VC:H) and subsequent (SC:H) systems, with subsequent high integrity (SI:H) and availability (SA:H) impacts indicating potential for lateral movement or privilege escalation after initial data disclosure. Coordinated disclosure by INCIBE-CERT suggests vendor notification occurred, though no public exploit code is currently identified and EPSS/KEV data are unavailable for this 2026 CVE.

Technical ContextAI

This vulnerability stems from CWE-284 (Improper Access Control), manifesting as an insecure direct object reference (IDOR) in Minerva's user management REST API endpoint. The application fails to validate that authenticated users can only access their own user records when requesting '/minerva/moUser/show/{id}'. Instead of checking session ownership against the requested user ID, the endpoint trusts client-supplied ID parameters, allowing horizontal privilege escalation. This is a classic broken access control pattern where authentication is enforced (PR:L in CVSS vector) but authorization logic is missing or improperly implemented. The vulnerability affects the user object retrieval function specifically, suggesting the flaw is in the controller layer rather than framework-level access controls. Minerva V3.6.0 is the confirmed affected version per INCIBE-CERT advisory.

RemediationAI

Apply patches or upgrades referenced in the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva-the advisory should specify fixed version numbers or provide vendor patches (not independently confirmed from provided data). Until patching, implement server-side access control checks in the '/minerva/moUser/show/' endpoint to verify the authenticated user's session ID matches the requested user ID parameter before returning data; this requires code-level changes and should be tested to ensure legitimate multi-account admin functions are preserved. Alternatively, deploy web application firewall rules to block requests where the user ID parameter does not match the authenticated session context, though this is complex to implement correctly and may break legitimate administrative access-carefully whitelist admin roles if this approach is used. Enable detailed access logging for the moUser module to detect enumeration attempts (rapid sequential ID requests from single sessions). For high-security environments, consider restricting network access to Minerva's administrative interfaces to trusted IP ranges until vendor patches are applied, reducing the network attack vector to internal threats only.

Share

CVE-2026-5780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy