Skip to main content

Leadrebel EUVDEUVD-2026-20337

| CVE-2026-39664 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-vcv7-hm7p-jvh2
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20337
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2.

AnalysisAI

Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.

Technical ContextAI

This vulnerability is rooted in CWE-862 (Missing Authorization), a foundational access control flaw where the application fails to verify that users are authorized before granting access to sensitive functions or data. The Leadrebel plugin, identified via CPE cpe:2.3:a:leadrebel:leadrebel:*:*:*:*:*:*:*:*, implements web APIs or endpoints that process requests without proper authorization decorators or middleware checks. The CVSS vector indicates unauthenticated network-based access (AV:N/AC:L/PR:N/UI:N), meaning an attacker can exploit this directly over HTTP/HTTPS without credentials, user interaction, or elevated privileges. The confidentiality impact (C:L) confirms information disclosure rather than data modification or system unavailability, suggesting attackers can view restricted data such as lead records, configuration details, or user information.

RemediationAI

Update Leadrebel to a version newer than 1.0.2 immediately. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/leadrebel/vulnerability/wordpress-leadrebel-plugin-1-0-2-broken-access-control-vulnerability) for confirmation of the patched release version and installation instructions. As an interim mitigation while awaiting or testing an update, restrict network access to the Leadrebel plugin endpoints using Web Application Firewall (WAF) rules or access control lists (ACLs) to limit exposure only to trusted internal networks or known authorized users. Additionally, review server logs for suspicious unauthenticated requests to Leadrebel API endpoints or admin functions to determine if the vulnerability has been exploited.

Share

EUVD-2026-20337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy