Skip to main content

MicroRealEstate CVE-2026-57870

| EUVDEUVD-2026-42006 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-07 vdp@themissinglink.com.au GHSA-jj92-236g-5h8p
5.3
CVSS 4.0 · Vendor: themissinglink
Share

Severity by source

Vendor (themissinglink) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Low-privilege authentication required (PR:L); limited confidentiality impact only against templates (C:L); no integrity, availability, or scope-change impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (themissinglink).

CVSS VectorVendor: themissinglink

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 06:38 vuln.today

DescriptionCVE.org

Broken object-level access control on the Template API in MicroRealEstate allows attackers to retrieve document templates used by other organizations without authorization.

This issue affects MicroRealEstate: through 1.0.0-alpha3.

AnalysisAI

Broken object-level access control (BOLA) in MicroRealEstate's Template API through version 1.0.0-alpha3 permits authenticated users to retrieve document templates owned by other organizations on the same platform. Any low-privilege account holder can query template objects belonging to unrelated tenants by supplying arbitrary template identifiers, crossing multi-tenant isolation boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege account on platform
Delivery
Enumerate or guess cross-tenant template IDs
Exploit
Send crafted Template API requests with foreign IDs
Execution
Server returns templates without authorization check
Impact
Exfiltrate other organizations' document templates

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account on the target MicroRealEstate platform with at least low-privilege access (PR:L per CVSS 4.0) - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) accurately reflects a bounded confidentiality impact: authenticated exploitation yields read access to other tenants' templates but carries no integrity or availability consequence (VI:N/VA:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account on a MicroRealEstate instance hosting multiple organizations, then iterates through template IDs (sequential or guessed) in requests to the Template API. Because the server returns templates without verifying organizational ownership, the attacker successfully exfiltrates document templates - such as custom lease agreements or notice forms - belonging to unrelated tenants. …
Remediation No vendor-released patch has been identified at time of analysis - the referenced GitHub repository does not indicate a fixed tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy