Skip to main content

BAPSİS CVE-2026-6001

| EUVDEUVD-2026-29442 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-12 TR-CERT GHSA-q4cr-cjq5-h3m4
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 10:31 vuln.today
CVE Published
May 12, 2026 - 09:53 nvd
HIGH 8.8

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers.

This issue affects BAPSİS: before v.202604152042.

AnalysisAI

Authorization bypass in BAPSİS web application enables unauthenticated remote attackers to exploit trusted identifiers through user-controlled keys when victims interact with crafted requests. ABIS Technology's BAPSİS platform (versions before v.202604152042) contains a CWE-639 flaw where authorization checks rely on client-controlled key values, allowing attackers to manipulate trust relationships and gain unauthorized access with high impact to confidentiality, integrity, and availability. TR-CERT published advisory but no public exploit code identified at time of analysis, with CVSS 8.8 reflecting network-exploitable attack requiring only user interaction.

Technical ContextAI

This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a design flaw where the application uses attacker-controllable input to determine authorization decisions. In BAPSİS, the system appears to rely on user-supplied identifiers or keys (such as session tokens, user IDs, or reference parameters) to establish trust relationships without proper server-side validation. The CPE identifier (cpe:2.3:a:abis_technology_ltd._co.:bapsi̇s) indicates this affects ABIS Technology's proprietary BAPSİS platform, likely a business application or management system. The CVSS vector's Network attack vector (AV:N) and Low complexity (AC:L) indicate the vulnerability is exploitable through standard web protocols without requiring specialized conditions, while the High ratings across Confidentiality, Integrity, and Availability (C:H/I:H/A:H) suggest the flaw allows complete compromise of authorization boundaries once exploited.

RemediationAI

Upgrade BAPSİS to version 202604152042 or later immediately, as confirmed by TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0223. The version string format (YYYYMMDDHHMM) indicates this is a timestamp-based release from April 15, 2026, 20:42 UTC. If immediate patching is not feasible, implement compensating controls: (1) Deploy web application firewall rules to validate and sanitize all user-supplied identifiers and keys used in authorization decisions, though this may break legitimate application functionality if key formats are not well-documented; (2) Restrict BAPSİS access to trusted internal networks only via firewall rules or VPN requirement, eliminating the network attack vector but impacting remote users; (3) Implement mandatory multi-factor authentication at the infrastructure layer (reverse proxy, VPN) to add authentication barriers despite the application-level bypass, adding operational overhead but reducing exploitation risk. Monitor application logs for anomalous authorization patterns, such as rapid privilege escalation or access to resources without corresponding authentication events. All workarounds are temporary - the authorization logic flaw requires code-level fixes only available in the patched version.

Share

CVE-2026-6001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy