Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Portfolio vw-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Portfolio: from n/a through <= 1.3.3.
AnalysisAI
Improper access control in VW Portfolio up to version 1.3.3 enables unauthenticated attackers to modify data through incorrectly configured security levels. The vulnerability allows integrity compromise without requiring authentication or user interaction, affecting all instances of the affected software versions. No patch is currently available.
Technical ContextAI
This vulnerability is rooted in CWE-862 (Missing Authorization), a root cause class where the application fails to verify that a user has proper authorization before allowing access to a resource or performing a sensitive operation. The vowelweb VW Portfolio, identifiable via CPE designations for the affected product family, implements portfolio management functionality that relies on security level configurations for access control. The application's failure to properly enforce these security levels during request processing means that access control checks are either missing entirely or bypass-able through specific request manipulation, allowing unauthorized parties to interact with protected resources.
RemediationAI
Upgrade vowelweb VW Portfolio to a patched version released after 1.3.3 as soon as the security update becomes available from vowelweb. Organizations unable to patch immediately should implement compensating controls by restricting network access to VW Portfolio instances to trusted IP ranges only, enforcing authentication at a network perimeter (reverse proxy or WAF), and implementing robust access control validation in any downstream systems that consume VW Portfolio data. Monitor access logs for unauthorized modification attempts and ensure proper configuration audits are performed on all deployed instances to verify security level settings are correctly enforced. Contact vowelweb support for advisory details and patch timeline if not yet publicly available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11977