Skip to main content

DijiDemi CVE-2026-6008

| EUVDEUVD-2026-30270 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 TR-CERT GHSA-6pgg-77xr-rqqp
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 13:17 vuln.today
CVE Published
May 14, 2026 - 12:24 nvd
MEDIUM 6.8

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.

This issue affects DijiDemi: from v4.5.12.1 before v4.5.13.0.

AnalysisAI

Authorization bypass in DijiDemi v4.5.12.1 through v4.5.13.0 allows authenticated high-privilege users to escalate permissions through user-controlled cryptographic key manipulation. An attacker with high privileges can abuse the authorization mechanism by controlling session or authentication keys, bypassing intended access restrictions and potentially modifying data or executing unauthorized operations, though exploitation requires user interaction and high-privilege account access.

Technical ContextAI

DijiDemi's authorization mechanism relies on cryptographic keys or session identifiers that are insufficiently validated against user-supplied input. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when applications use user-supplied data as cryptographic or session management keys without proper validation or derivation through secure mechanisms. The affected versions fail to properly segregate user-controllable authentication material from trusted authorization decisions, allowing a high-privilege user to manipulate key generation or validation logic. This typically manifests in session token generation, API key handling, or role-based access control (RBAC) key structures where the application accepts user-provided input that influences authorization decisions.

RemediationAI

Upgrade DijiDemi to v4.5.13.0 or later, which contains the authorization bypass fix. Per vendor advisory TR-CERT security bulletin TR-26-0239, this release hardens key validation and prevents user-controlled manipulation of authorization tokens. If immediate patching is not feasible, implement access controls to restrict which users can access sensitive DijiDemi administrative functions or API endpoints that involve key management or privilege escalation. Monitor high-privilege user activity logs for anomalous authorization requests or key manipulation attempts. Disable non-essential high-privilege accounts and enforce principle of least privilege for administrative access. Note that these compensating controls do not eliminate the vulnerability and should be temporary; patching remains the required fix.

Share

CVE-2026-6008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy