Skip to main content

MeWare PDKS CVE-2026-7382

| EUVDEUVD-2026-26370 MEDIUM
Information Exposure (CWE-200)
2026-04-30 TR-CERT
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 30, 2026 - 13:30 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 13:00 euvd
EUVD-2026-26370
Analysis Generated
Apr 30, 2026 - 13:00 vuln.today
CVE Published
Apr 30, 2026 - 12:34 nvd
MEDIUM 6.5

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation.

This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

AnalysisAI

Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through before VMYR_3.5.2025117 due to improper access controls. The vulnerability allows disclosure of private data without authorization, affecting confidentiality. CVSS score of 6.5 reflects moderate severity with network accessibility and low attack complexity, though authentication is required. No active exploitation or public proof-of-concept has been confirmed at time of analysis.

Technical ContextAI

MeWare PDKS (likely referring to a Product Data or Digital Knowledge System) implements insufficient authorization controls over sensitive personal information resources. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates the application fails to properly restrict access to data that should only be accessible to specific users or roles. The vulnerability manifests at the network layer (AV:N) with low attack complexity, suggesting the flaw is inherent to the application logic rather than requiring specific environmental conditions. The low privilege requirement (PR:L) indicates an authenticated user with minimal permissions can trigger disclosure, suggesting the root cause is inadequate role-based or attribute-based access control validation.

RemediationAI

Upgrade MeWare PDKS to version VMYR_3.5.2025117 or later immediately to address the authorization bypass. This patch version includes corrected access control logic to prevent unauthorized data disclosure. Pending patch deployment, restrict network access to PDKS instances using firewall rules to limit authentication attempts to trusted IP ranges, and enforce multi-factor authentication for user accounts with data access privileges to increase the privilege barrier (PR:L becomes harder to satisfy). Review and audit user access logs in affected systems to identify whether the vulnerability has been exploited to access sensitive personal information, enabling timely notification if required. Contact MeWare Software Development Inc. support at the TR-CERT reporting channel (https://www.usom.gov.tr/bildirim/tr-26-0141) for confirmation of patch availability and deployment guidance specific to your deployment configuration.

Share

CVE-2026-7382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy