Skip to main content

Ai Workflow Automation EUVDEUVD-2026-20398

| CVE-2026-39699 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-8m6c-ch3f-3mpm
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20398
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.

AnalysisAI

Missing authorization in massiveshift AI Workflow Automation plugin (versions up to 1.4.2) allows unauthenticated remote attackers to modify data through incorrectly configured access control security levels, affecting the WordPress plugin ai-workflow-automation-lite. The vulnerability has a low EPSS score (0.02%, 4th percentile) despite CVSS 5.3, suggesting limited real-world exploitation likelihood despite network accessibility.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a fundamental access control failure where the application fails to verify that users have proper permissions before allowing sensitive operations. In this case, the AI Workflow Automation plugin does not adequately enforce authorization checks on its API or functional endpoints, allowing requests from unauthenticated users to pass authorization validation. The affected product is the WordPress plugin 'ai-workflow-automation-lite' published by massiveshift, which integrates workflow automation capabilities into WordPress environments. The lack of proper authorization enforcement means that security levels and role-based access controls are either not checked or are misconfigured, permitting unauthorized modifications.

RemediationAI

Update the AI Workflow Automation plugin to a version newer than 1.4.2 if a patched version is available from massiveshift. Users should check the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/ai-workflow-automation-lite/vulnerability/wordpress-ai-workflow-automation-plugin-1-4-2-broken-access-control-vulnerability) and the NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39699) for patch availability and timeline. In the interim, administrators should audit and tighten access control configurations within the plugin, restrict plugin functionality to authenticated users only, and monitor for unauthorized modification attempts in WordPress logs. Disabling the plugin entirely is advisable if patches remain unavailable and the functionality is not business-critical.

Share

EUVD-2026-20398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy