Skip to main content

Next Saas Stripe Starter EUVDEUVD-2026-14308

| CVE-2026-4549 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-22 VulDB GHSA-rccx-mffc-xm8j
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 24, 2026 - 16:37 NVD
3.1 (LOW) 2.3 (LOW)
EUVD ID Assigned
Mar 22, 2026 - 14:00 euvd
EUVD-2026-14308
Analysis Generated
Mar 22, 2026 - 14:00 vuln.today
CVE Published
Mar 22, 2026 - 13:47 nvd
LOW 3.1

DescriptionCVE.org

A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult.

AnalysisAI

An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.

Technical ContextAI

This vulnerability resides in the next-saas-stripe-starter project (cpe:2.3:a:mickasmt:next-saas-stripe-starter:*:*:*:*:*:*:*:*), a SaaS boilerplate application that integrates Stripe payment processing. The flawed component is the Stripe API handler, specifically in actions/open-customer-portal.ts, which is responsible for authenticating and authorizing users before granting them access to the Stripe Customer Portal. The underlying root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the application fails to properly validate user permissions before allowing portal access. The vulnerability likely stems from insufficient session validation, missing role-based access control checks, or improper parameter sanitization when determining which customer portal a user should access.

RemediationAI

Upgrade mickasmt next-saas-stripe-starter to a patched version beyond 1.0.0 as soon as available from the upstream project repository. Until a patch is released, implement compensating controls by adding explicit role-based authorization checks in the openCustomerPortal function to verify that the authenticated user has permission to access the requested customer portal, enforce request parameter validation to prevent customer ID manipulation, and implement detailed access logging to detect suspicious portal access attempts. Consider restricting Stripe API integrations to a subset of trusted application users and audit all recent portal access logs for unauthorized activity. Monitor the VulDB entry (https://vuldb.com/?id.352376) and mickasmt project repositories for patch availability.

Share

EUVD-2026-14308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy