Skip to main content

Vw Portfolio EUVDEUVD-2026-11977

| CVE-2026-32437 MEDIUM
Missing Authorization (CWE-862)
2026-03-13 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11977
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in vowelweb VW Portfolio vw-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Portfolio: from n/a through <= 1.3.3.

AnalysisAI

Improper access control in VW Portfolio up to version 1.3.3 enables unauthenticated attackers to modify data through incorrectly configured security levels. The vulnerability allows integrity compromise without requiring authentication or user interaction, affecting all instances of the affected software versions. No patch is currently available.

Technical ContextAI

This vulnerability is rooted in CWE-862 (Missing Authorization), a root cause class where the application fails to verify that a user has proper authorization before allowing access to a resource or performing a sensitive operation. The vowelweb VW Portfolio, identifiable via CPE designations for the affected product family, implements portfolio management functionality that relies on security level configurations for access control. The application's failure to properly enforce these security levels during request processing means that access control checks are either missing entirely or bypass-able through specific request manipulation, allowing unauthorized parties to interact with protected resources.

RemediationAI

Upgrade vowelweb VW Portfolio to a patched version released after 1.3.3 as soon as the security update becomes available from vowelweb. Organizations unable to patch immediately should implement compensating controls by restricting network access to VW Portfolio instances to trusted IP ranges only, enforcing authentication at a network perimeter (reverse proxy or WAF), and implementing robust access control validation in any downstream systems that consume VW Portfolio data. Monitor access logs for unauthorized modification attempts and ensure proper configuration audits are performed on all deployed instances to verify security level settings are correctly enforced. Contact vowelweb support for advisory details and patch timeline if not yet publicly available.

Share

EUVD-2026-11977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy