Skip to main content

Wakyma Application Web EUVDEUVD-2026-12389

| CVE-2026-3020 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-16 INCIBE
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 11:00 euvd
EUVD-2026-12389
Analysis Generated
Mar 16, 2026 - 11:00 vuln.today
Patch released
Mar 16, 2026 - 11:00 nvd
Patch available
CVE Published
Mar 16, 2026 - 10:09 nvd
HIGH 8.6

DescriptionCVE.org

Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts

AnalysisAI

An identity-based authorization bypass vulnerability (IDOR) allows authenticated attackers to modify other users' account data, including email addresses, and subsequently hijack accounts through password reset flows. The vulnerability affects an unspecified product with a CVSS 8.6 severity rating, requires only low privileges to exploit over the network, and enables complete account takeover. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and the EPSS score is unavailable.

Technical ContextAI

This vulnerability represents an Insecure Direct Object Reference (IDOR) flaw, classified as CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to properly verify that authenticated users can only access or modify their own account data. The vulnerability allows attackers to manipulate object references (likely user IDs or account identifiers) to access and modify other users' profiles. No specific CPE strings or affected products are identified in the available intelligence, suggesting this may be a placeholder CVE or the affected vendor has not been disclosed.

RemediationAI

Without identified affected products or vendor advisories, specific patching guidance cannot be provided for CVE-2026-3020. Organizations should implement general IDOR prevention controls including proper authorization checks that validate user permissions before allowing profile modifications, implementing secure session management, and adding rate limiting on sensitive account operations. Monitor authentication logs for suspicious account modification patterns and consider implementing additional verification steps for email changes and password resets.

Share

EUVD-2026-12389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy