Skip to main content

Dotouch XproUPF CVE-2026-8233

| EUVDEUVD-2026-28984 LOW
Improper Access Control (CWE-284)
2026-05-10 VulDB GHSA-c56c-rg8p-wh26
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 10, 2026 - 06:30 vuln.today
Severity Changed
May 10, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
May 10, 2026 - 06:22 NVD
4.6 (MEDIUM) 2.1 (LOW)
CVE Published
May 10, 2026 - 05:30 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure.

AnalysisAI

Improper access controls in Dotouch XproUPF 2.0.0 (release 088aa7c4) allow local authenticated attackers to bypass authentication mechanisms and gain unauthorized access to restricted functionality within the UPF component. The vulnerability requires high attack complexity and valid user credentials but affects confidentiality, integrity, and availability of the affected system. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability exists in the UPF (User Protocol Framework or similar) component of Dotouch XproUPF, a software utility for mobile device testing and management. CWE-284 (Improper Access Control) indicates that the component fails to properly enforce authorization checks, allowing authenticated users to access resources or perform operations beyond their intended privilege level. The CVE description identifies an 'unknown function' within UPF as vulnerable, suggesting either incomplete vulnerability details or deliberate disclosure redaction by the vendor. The attack vector is classified as Adjacent Network (AV:A), meaning an attacker must have local or close-range network access rather than direct internet-facing exposure.

RemediationAI

Contact Dotouch directly for patched version availability, as no public vendor advisory or patch version number has been identified in available sources. The CVE description states 'the vendor was contacted early about this disclosure,' indicating coordinated vulnerability response; request an ETA for a security update addressing the improper access control in the UPF component. As an interim compensating control, restrict network access to Dotouch XproUPF instances to trusted internal networks only and enforce principle of least privilege by granting UPF access only to users who require it for legitimate testing purposes. If UPF functionality can be disabled without operational impact, consider doing so until a patch is available. Monitor access logs for authentication bypass attempts (unusual privilege escalation or cross-user access within UPF) and implement network segmentation to limit lateral movement if the vulnerability is exploited.

Share

CVE-2026-8233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy