EUVD-2026-12216Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
CVE-2026-4171 is an authorization bypass vulnerability in CodeGenieApp serverless-express affecting versions up to 4.17.1, where manipulation of the userId parameter in the API Endpoint component allows authenticated attackers to access or modify resources belonging to other users. A public proof-of-concept exploit exists, the vendor has not responded to early disclosure, and the vulnerability carries a CVSS score of 6.3 with exploitation rated as Probable (EPSS indicator); while not currently in CISA KEV, the combination of public POC availability and low attack complexity represents moderate real-world risk.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Multi-signal analysis reveals moderate-to-moderate-high real-world risk: (1) CVSS 6.3 with AV:N/AC:L indicates network-exploitable vulnerability with low attack complexity, but PR:L (requires prior login) and C:L/I:L/A:L (limited impact scope) cap severity; (2) EPSS indicator 'P' (Probable exploitation) and E:P (Proof-of-Concept Exists) elevate practical risk significantly—public exploits lower barriers to weaponization; (3) RC:R (Reasonable confidence) and RL:X (Unpatched/Unknown remediation) indicate unresolved status; (4) NOT currently in CISA KEV, suggesting limited widespread active exploitation to date, but public POC and unresponsive vendor dramatically increase exploitation probability; (5) SSVC perspective: Exploitation=PoC Available (high signal), Automatable=Likely (low AC), Technical Impact=Total (CWE-639 enables lateral access to peer resources), Organization Impact=Significant (affects confidentiality/integrity of user data in multi-tenant systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker (e.g., legitimate user with valid credentials) logs into a serverless-express-based application deployed on AWS Lambda. The attacker observes the API structure and identifies that the TodoList endpoint accepts a userId parameter (e.g., GET /api/todos?userId=user123). … |
| Remediation | - action: Apply vendor patch; details: Patch version not explicitly specified in available intelligence; contact vendor or monitor CodeGenieApp security advisories for patched version > 4.17.1 - action: Immediate workaround; details: Implement server-side authorization checks in API Endpoint handlers to validate that the authenticated user's identity matches the userId parameter before granting access; never trust client-supplied userId values without verification against the authenticated session/JWT claims - action: Code review; details: Audit TodoList.ts and all similar API endpoint handlers for CWE-639 patterns—ensure authorization logic uses authenticated user context (from JWT/session) rather than unsanitized request parameters - action: Upgrade serverless-express; details: Downgrade to versions prior to 4.17.0 if patched version unavailable, or await patched release; monitor https://github.com/codegenieapp/serverless-express and vendor advisories - action: WAF/API Gateway controls; details: Implement API Gateway authorization policies or AWS Lambda resource-based policies to restrict cross-user access patterns; add request validation rules to reject suspicious userId parameter manipulations - action: Logging and monitoring; details: Enable audit logging on TodoList API calls to detect unauthorized userId access patterns; alert on attempts to access resources with mismatched userId vs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems running CodeGenieApp serverless-express and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today