Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.
This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.
AnalysisAI
Authorization bypass in DijiDemi v4.5.12.1 through v4.5.13.0 allows authenticated high-privilege users to escalate permissions through user-controlled cryptographic key manipulation. An attacker with high privileges can abuse the authorization mechanism by controlling session or authentication keys, bypassing intended access restrictions and potentially modifying data or executing unauthorized operations, though exploitation requires user interaction and high-privilege account access.
Technical ContextAI
DijiDemi's authorization mechanism relies on cryptographic keys or session identifiers that are insufficiently validated against user-supplied input. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when applications use user-supplied data as cryptographic or session management keys without proper validation or derivation through secure mechanisms. The affected versions fail to properly segregate user-controllable authentication material from trusted authorization decisions, allowing a high-privilege user to manipulate key generation or validation logic. This typically manifests in session token generation, API key handling, or role-based access control (RBAC) key structures where the application accepts user-provided input that influences authorization decisions.
RemediationAI
Upgrade DijiDemi to v4.5.13.0 or later, which contains the authorization bypass fix. Per vendor advisory TR-CERT security bulletin TR-26-0239, this release hardens key validation and prevents user-controlled manipulation of authorization tokens. If immediate patching is not feasible, implement access controls to restrict which users can access sensitive DijiDemi administrative functions or API endpoints that involve key management or privilege escalation. Monitor high-privilege user activity logs for anomalous authorization requests or key manipulation attempts. Disable non-essential high-privilege accounts and enforce principle of least privilege for administrative access. Note that these compensating controls do not eliminate the vulnerability and should be temporary; patching remains the required fix.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30270
GHSA-6pgg-77xr-rqqp