Skip to main content

MeWare PDKS CVE-2026-7399

| EUVDEUVD-2026-26371 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-30 TR-CERT
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 30, 2026 - 13:30 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 13:00 euvd
EUVD-2026-26371
Analysis Generated
Apr 30, 2026 - 13:00 vuln.today
CVE Published
Apr 30, 2026 - 12:39 nvd
HIGH 8.1

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.

This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

AnalysisAI

Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.

Technical ContextAI

The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application uses client-controlled parameters or keys to determine access rights rather than validating authorization server-side. In the MeWare PDKS (Personnel Tracking System) application, attackers can manipulate user-controlled identifiers or session keys to access resources or functions outside their assigned privilege level. The CVSS vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L), requiring only basic authentication (PR:L). The unchanged scope (S:U) suggests the vulnerability remains within the PDKS application boundary but enables high confidentiality and integrity impact (C:H/I:H) without affecting availability.

RemediationAI

Organizations running affected PDKS versions should immediately upgrade to version VMYR_3.5.2025117 or later, which addresses the authorization bypass vulnerability according to the version advisory data. Consult the TR-CERT advisory at https://www.usom.gov.tr/bildirim/tr-26-0141 for vendor-specific upgrade instructions and potential prerequisites. Until patching is completed, implement interim compensating controls: restrict PDKS network access to trusted IP ranges or VPN-only connections to reduce attack surface; enable comprehensive audit logging of all authorization decisions and privilege escalations to detect abuse attempts; review and minimize user privilege assignments following least-privilege principles, particularly for accounts that can access personnel or sensitive HR data; implement application-layer monitoring to detect anomalous access patterns such as low-privileged users accessing administrative functions or lateral movement across user contexts. Note that restricting network access reduces but does not eliminate risk from authenticated insiders. These workarounds should be considered temporary measures only, as the underlying authorization flaw remains exploitable by any authenticated user until patched.

Share

CVE-2026-7399 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy