Skip to main content

BankPro Service Center CVE-2026-9493

| EUVDEUVD-2026-33253 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-29 twcert GHSA-hc6j-f6m9-878g
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 29, 2026 - 07:28 vuln.today
v3 (cvss_changed)
Analysis Updated
May 29, 2026 - 07:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 29, 2026 - 07:22 vuln.today
cvss_changed
Severity Changed
May 29, 2026 - 07:22 NVD
MEDIUM HIGH
CVSS changed
May 29, 2026 - 07:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
May 29, 2026 - 06:45 vuln.today

DescriptionCVE.org

Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details.

AnalysisAI

Authorization bypass in BankPro E-Service Technology's Service Center application allows authenticated remote attackers to read other users' electronic commerce order details by tampering with an object identifier parameter in a query function. The CVSS 4.0 vector (AV:N/PR:L/VC:H) reflects a high-confidentiality impact over the network with low privileges and no user interaction, and there is no public exploit identified at time of analysis. The flaw is an Insecure Direct Object Reference (IDOR) reported by TWCERT, affecting financial/EC order data that is typically subject to privacy and PCI-DSS scrutiny.

Technical ContextAI

Service Center is a banking/e-service platform produced by BankPro E-Service Technology (CPE: cpe:2.3:a:bankpro_e-service_technology:service_center:*). The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a classic Insecure Direct Object Reference where the application accepts a client-supplied identifier (e.g., an order ID, customer ID, or sequence number) in a query function and returns the corresponding record without verifying that the requesting session owns or is entitled to that record. Although tagged 'Authentication Bypass', the description indicates an authorization rather than authentication failure - the attacker must first be a legitimate authenticated user, then horizontally pivots to other users' EC (electronic commerce) order details by changing a numeric or otherwise predictable parameter.

RemediationAI

No vendor-released patch version is identified in the provided data; operators should contact BankPro E-Service Technology directly and consult the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-10940-d90bd-2.html and https://www.twcert.org.tw/tw/cp-132-10938-97ddd-1.html) for the official fix and any vendor-supplied hotfix bulletin. The primary remediation is a code-level fix that enforces server-side authorization on the affected query function so that the session's user identity - not the client-supplied parameter - determines which order records can be returned; this typically means joining queries on the authenticated user ID or checking ownership in a middleware layer. Until the vendor patch is applied, compensating controls include placing the EC order query endpoint behind a WAF rule that flags rapid sequential or out-of-range identifier enumeration (trade-off: legitimate batch lookups may be blocked), enabling verbose access logging on the order endpoint and alerting on a single account fetching disparate user IDs (trade-off: log volume and analyst burden), and tightening session controls (short timeouts, MFA for sensitive views) to raise the cost of obtaining the low-privileged account needed to exploit the issue.

Share

CVE-2026-9493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy