Skip to main content

1024-lab smart-admin CVE-2026-7468

| EUVDEUVD-2026-26305 MEDIUM
Improper Access Control (CWE-284)
2026-04-30 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
Apr 30, 2026 - 14:52 vuln.today
Public exploit code
Analysis Generated
Apr 30, 2026 - 01:29 vuln.today
Severity Changed
Apr 30, 2026 - 01:22 NVD
HIGH MEDIUM
CVSS changed
Apr 30, 2026 - 01:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 30, 2026 - 01:15 euvd
EUVD-2026-26305
Analysis Generated
Apr 30, 2026 - 01:15 vuln.today
CVE Published
Apr 30, 2026 - 01:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.

Technical ContextAI

The vulnerability exists in the Druid component's web interface, specifically the /smart-admin-api/druid/index.html endpoint. The underlying issue is classified as CWE-284 (Improper Access Control), indicating that the application fails to properly enforce authorization checks on this resource. Smart-admin is a Java-based administrative dashboard framework; the Druid integration provides SQL query execution and monitoring capabilities. The absence of proper authentication or authorization validation on this endpoint allows network-accessible exploitation without requiring valid credentials. This is a common issue in demo or development interfaces that are accidentally exposed in production environments or left unsecured by default configuration.

RemediationAI

No vendor-released patch is available at this time; the 1024-lab team has not yet responded to the vulnerability report. Immediate mitigation requires restricting access to the /smart-admin-api/druid/ endpoint at the network or web server level. Apply strict authentication and authorization controls: block this path from public internet access using firewall rules or web application firewall (WAF) rules that require authentication before allowing access to any /smart-admin-api/* path. If Druid functionality is required, place the application behind a VPN or access control proxy and enable authentication on the endpoint itself by modifying the application configuration. As a temporary measure, disable or remove the Druid demo interface entirely if it is not required for production use. Monitor the official GitHub repository (https://github.com/1024-lab/smart-admin/) for a security patch release. Do not rely on obscurity or IP-based filtering as the sole mitigation, as the public exploit code lowers the barrier to discovery. If upgrading is possible, await a patched version beyond 3.30.0, though no timeline has been announced.

Share

CVE-2026-7468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy