Skip to main content

MphRx Minerva CVE-2026-5781

| EUVDEUVD-2026-26040 HIGH
Improper Authorization (CWE-285)
2026-04-28 cve-coordination@incibe.es
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 28, 2026 - 20:38 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 13:30 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 13:22 euvd
EUVD-2026-26040
Analysis Generated
Apr 28, 2026 - 13:22 vuln.today
CVE Published
Apr 28, 2026 - 13:19 nvd
HIGH 8.5

DescriptionCVE.org

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.

AnalysisAI

Privilege escalation in MphRx Minerva V3.6.0 allows authenticated users with user modification privileges to gain administrator access by manipulating the 'identifier' field in direct HTTP requests to the '/minerva/moUser/update' endpoint. While the vulnerability requires existing low-level authenticated access and cannot be exploited through the graphical interface, the CVSS v4.0 score of 8.5 reflects high impact across confidentiality, integrity, and availability in the subsequent system context (SC:H/SI:H/SA:H). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.

Technical ContextAI

This vulnerability affects the user management API endpoint in MphRx Minerva version 3.6.0, a healthcare/pharmaceutical software platform. The flaw is classified as CWE-285 (Improper Authorization), indicating the application fails to properly validate whether an authenticated user should be permitted to modify the 'identifier' field during user update operations. The authorization check likely occurs only at the UI layer, while the underlying REST API endpoint '/minerva/moUser/update' accepts direct HTTP requests without re-validating the requester's permission to assign elevated role identifiers. This represents a classic broken access control scenario where horizontal privilege checks (user can modify users) do not prevent vertical escalation (user can modify their own or others' privilege levels). The CVSS v4.0 vector indicates network-accessible (AV:N), low complexity (AC:L), requiring low privileges (PR:L) with no user interaction (UI:N), and critically, high impact on the subsequent system context across all CIA triad dimensions.

RemediationAI

Organizations running MphRx Minerva V3.6.0 should immediately consult the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva for vendor-provided patches and upgrade guidance. No vendor-released patch version is independently confirmed from available data at time of analysis. As interim mitigation, restrict user modification privileges to the minimum necessary personnel and implement monitoring for unexpected privilege changes or direct API calls to '/minerva/moUser/update' outside normal business processes. Web application firewall rules can detect and block requests to this endpoint containing 'identifier' field modifications from users whose session tokens do not correspond to superuser accounts, though this requires custom rule development. Network segmentation should ensure the Minerva administrative interface is accessible only from trusted management networks, not general user VLANs. Audit existing user accounts for evidence of unauthorized privilege escalation by reviewing user modification logs and comparing current privilege assignments against authorized baselines. These compensating controls reduce but do not eliminate risk, as authenticated insiders with legitimate user management access can still exploit the flaw.

Share

CVE-2026-5781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy