Skip to main content

Kaleris YMS EUVDEUVD-2026-19269

| CVE-2026-31150 MEDIUM
Improper Access Control (CWE-284)
2026-04-06 mitre GHSA-mpxj-x6rg-mghc
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 15:00 euvd
EUVD-2026-19269
Analysis Generated
Apr 06, 2026 - 15:00 vuln.today
CVE Published
Apr 06, 2026 - 00:00 nvd
MEDIUM 4.3

DescriptionCVE.org

Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources.

AnalysisAI

Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated users with the shipping/receiving role to access truck dashboard resources beyond their assigned permissions, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects a specific version of the Kaleris Yard Management System (YMS). Public exploit code is available, and CISA has identified this as exploitable through their SSVC framework, though technical impact is limited to confidentiality breach without integrity or availability consequences.

Technical ContextAI

This vulnerability stems from inadequate role-based access control (RBAC) implementation in Kaleris YMS, a yard management platform. The root cause (CWE-284: Improper Access Control) indicates that the application fails to properly validate user permissions before granting access to truck dashboard resources. Authenticated users with the shipping/receiving role should have restricted visibility limited to their job functions; however, the access control mechanism does not enforce these boundaries. The vulnerability exists in network-accessible components of the YMS application and does not require elevated privileges or complex attack interactions to exploit, as confirmed by the CVSS vector (AV:N/AC:L/PR:L).

RemediationAI

Organizations should contact Kaleris directly or check their official advisory channels for a patched version addressing the access control defect. Until a vendor-released patch is available, implement compensating controls by auditing RBAC role assignments in YMS to ensure shipping/receiving users cannot access truck dashboard resources through the application interface, and restrict network access to the YMS dashboard to authorized personnel only. Consider implementing additional authentication factors (multi-factor authentication) for YMS access to reduce the attack surface to legitimate insiders. Apply the patch immediately upon release from Kaleris. The GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150 contains proof-of-concept code; review this to understand the exact exploitation path and validate remediation effectiveness. Refer to the NVD vulnerability detail page (https://nvd.nist.gov/vuln/detail/CVE-2026-31150) for updates from Kaleris regarding patch availability and timeline.

Share

EUVD-2026-19269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy