Skip to main content

School App CVE-2026-7491

| EUVDEUVD-2026-26772 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-02 twcert
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Patch available
May 02, 2026 - 11:01 EUVD
Analysis Updated
May 02, 2026 - 10:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 02, 2026 - 10:22 vuln.today
cvss_changed
CVSS changed
May 02, 2026 - 10:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Patch released
May 02, 2026 - 10:16 nvd
Patch available
Analysis Generated
May 02, 2026 - 10:01 vuln.today
EUVD ID Assigned
May 02, 2026 - 09:30 euvd
EUVD-2026-26772
Analysis Generated
May 02, 2026 - 09:30 vuln.today
CVE Published
May 02, 2026 - 09:14 nvd
HIGH 8.6

DescriptionCVE.org

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.

AnalysisAI

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Technical ContextAI

This is a classic Insecure Direct Object Reference (IDOR) vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The School App by Zyosoft fails to implement proper authorization checks on object-level access control, allowing authenticated users to manipulate reference parameters (likely numeric IDs or GUIDs in API endpoints or URL parameters) to access resources belonging to other users. The application trusts client-supplied object identifiers without validating that the requesting user has legitimate access rights to those objects. This architectural flaw is common in web and mobile applications where authorization logic incorrectly assumes authentication alone is sufficient, or where role-based access control (RBAC) is implemented but object-level permissions are not enforced. The CVSS 4.0 vector confirms network-based exploitation with low complexity and no attack complexity barriers beyond obtaining valid low-privilege credentials.

RemediationAI

Organizations running School App should immediately apply vendor-released security updates by consulting Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html (Traditional Chinese) and https://www.twcert.org.tw/en/cp-139-10897-64257-2.html (English) for patch availability and installation instructions. If patches are not yet available or cannot be immediately deployed, implement these compensating controls with the following trade-offs: (1) Enable comprehensive API request logging to monitor for sequential object ID enumeration patterns, accepting the performance overhead and storage costs of verbose logging; (2) Implement web application firewall (WAF) rules to detect and block rapid sequential requests to user data endpoints, acknowledging this may cause false positives for legitimate bulk operations by administrators; (3) Conduct emergency access review to ensure user accounts have minimum necessary privilege levels, reducing the pool of credentials that could be exploited; (4) If feasible within application architecture, temporarily restrict API access to trusted IP ranges or VPN-only access, understanding this limits mobile/remote user functionality. Note that compensating controls only reduce attack surface and do not eliminate the underlying authorization flaw.

Share

CVE-2026-7491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy