Skip to main content

Vw Fitness EUVDEUVD-2026-11971

| CVE-2026-32434 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11971
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in vowelweb VW Fitness vw-fitness allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Fitness: from n/a through <= 4.3.4.

AnalysisAI

VW Fitness through version 4.3.4 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. An attacker can exploit this to perform unauthorized actions without requiring authentication or user interaction. No patch is currently available for affected installations.

Technical ContextAI

This vulnerability stems from improper implementation of access control mechanisms in the VW Fitness web application (CPE identifier: cpe:2.3:a:vowelweb:vw_fitness). CWE-862 (Missing Authorization) indicates that the application fails to enforce authorization checks before allowing sensitive operations, meaning certain API endpoints or functions do not verify whether the requesting user has permission to perform the requested action. The affected versions through 4.3.4 contain security-level configurations that are either misconfigured by default or improperly validated at runtime. The network attack vector (AV:N) indicates the flaw can be exploited directly over the network without requiring local access, and the low attack complexity (AC:L) means no special conditions or techniques are required beyond standard HTTP requests.

RemediationAI

Immediately upgrade vowelweb VW Fitness to a version newer than 4.3.4 (consult vendor documentation for the first patched release, typically 4.3.5 or 4.4.0). If immediate patching is not feasible, implement network-level access controls by restricting access to the VW Fitness application endpoints to trusted IP ranges only, disabling unauthenticated API access where possible, and implementing a Web Application Firewall (WAF) rule set to require valid authentication tokens on all sensitive endpoints. Additionally, conduct an access control audit of the application configuration to identify any incorrectly configured security levels and manually enforce proper role-based access control (RBAC) at the application configuration level until a patched version is deployed.

Share

EUVD-2026-11971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy