Skip to main content

Stel Order CVE-2026-5798

| EUVDEUVD-2026-30269 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 INCIBE GHSA-q39g-q5qr-xx67
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 15:30 vuln.today
CVSS changed
May 14, 2026 - 13:22 NVD
7.1 (HIGH)
CVE Published
May 14, 2026 - 12:26 nvd
HIGH 7.1
CVE Published
May 14, 2026 - 12:26 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee (first names, last names, roles, job titles, and vacation records, among others) by modifying that identifier in requests sent to the server.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Stel Order v3.25.1 and earlier allows authenticated attackers with low privileges to access confidential employee information across the organization by manipulating the 'employeeID' parameter in requests to the '/app/FrontController' endpoint. Attackers can enumerate and retrieve personal data including names, roles, job titles, and vacation records for any employee regardless of authorization level. EPSS data not available; no confirmed active exploitation (not in CISA KEV). CVSS 7.1 reflects high confidentiality impact but requires authentication, limiting immediate exposure to insider threats or compromised accounts.

Technical ContextAI

This vulnerability stems from inadequate access control implementation in the Stel Order web application framework. The /app/FrontController endpoint fails to validate whether the authenticated user has authorization to access employee records corresponding to the requested employeeID parameter. This is a classic manifestation of CWE-639 (Authorization Bypass Through User-Controlled Key), where user-supplied input directly controls object access without proper permission checks. The application likely uses the employeeID as a direct database key without implementing attribute-based or role-based access controls to verify the requesting user's rights to view that specific employee's data. The affected product is identified as Stel Order (CPE: cpe:2.3:a:stel_order:stel_order), a Spanish ordering/workforce management system, with all versions through 3.25.1 vulnerable.

RemediationAI

Apply vendor-released security patches when available by consulting the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-stel-order for specific fix versions and update instructions. The advisory title indicates 'multiple vulnerabilities' suggesting a comprehensive security update may address this and related issues. Until patches are deployed, implement these compensating controls: (1) Restrict access to the /app/FrontController endpoint using web application firewall rules to only authorized IP ranges or networks, understanding this reduces remote access functionality. (2) Implement additional session-based access control middleware that validates employeeID parameters against the authenticated user's authorized scope before processing requests - this requires custom development but provides defense-in-depth. (3) Enable comprehensive logging of all requests to /app/FrontController with employeeID parameters to detect enumeration attempts (multiple sequential requests with incrementing IDs), though this is detective rather than preventive. (4) Apply principle of least privilege by auditing user accounts and removing unnecessary low-privilege access to the application. Monitor the INCIBE advisory for official patching guidance and consider engaging directly with Stel Order support for remediation timelines.

Share

CVE-2026-5798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy