Skip to main content

Fullstep V5 EUVDEUVD-2026-24746

| CVE-2026-5750 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-22 INCIBE GHSA-27hq-xp89-25mq
7.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:59 vuln.today
CVSS changed
Apr 22, 2026 - 14:22 NVD
7.6 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 14:00 euvd
EUVD-2026-24746
Analysis Generated
Apr 22, 2026 - 14:00 vuln.today
Patch released
Apr 22, 2026 - 14:00 nvd
Patch available
CVE Published
Apr 22, 2026 - 13:25 nvd
HIGH 7.6

DescriptionCVE.org

An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).

AnalysisAI

Insecure direct object reference in Fullstep V5 allows authenticated users to enumerate and modify other users' supplier registration data via predictable API endpoints. Authenticated attackers with low privileges can exploit vulnerable GET and POST endpoints to list sensitive user information (/api/suppliers/v1/suppliers/) and update arbitrary user profiles including personal details and documents (/#/supplier-registration/supplier-registration/). CVSS 7.6 reflects high confidentiality and integrity impact with low attack complexity. No public exploit code identified at time of analysis, but the IDOR pattern is trivial to exploit once authenticated. INCIBE-CERT advisory confirms patch availability from vendor.

Technical ContextAI

This vulnerability exploits CWE-639 (Authorization Bypass Through User-Controlled Key), a classic insecure direct object reference where sequential or predictable identifiers in REST API endpoints allow horizontal privilege escalation. The Fullstep V5 supplier registration module fails to validate that authenticated users can only access their own resource identifiers. The vulnerable endpoints use URL path parameters to specify user/supplier IDs without server-side authorization checks. Attackers manipulate the ID values in '/api/suppliers/v1/suppliers/{ID}/false' (GET for enumeration) and '/#/supplier-registration/supplier-registration/{ID}/2' (POST/PUT for modification) to traverse through other users' data. This is a authorization logic flaw rather than authentication bypass - users must authenticate, but the application trusts client-supplied object references without verifying ownership. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L) indicates network-accessible exploitation with low complexity once low-privilege authentication is achieved, with attack requirements present but not extensive.

RemediationAI

Apply vendor-released patch immediately per INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fullstep. The advisory indicates patches are available directly from Fullstep for these multiple vulnerabilities. Until patching is complete, implement compensating controls: enforce server-side authorization checks that validate authenticated user identity matches the requested resource owner before returning or modifying supplier data; implement indirect object references using session-bound tokens or UUIDs instead of sequential IDs in API paths; deploy API gateway rules to log and alert on rapid sequential ID enumeration attempts (indicative of IDOR exploitation); restrict supplier registration API access to minimum necessary user roles; enable detailed audit logging on /api/suppliers/v1/suppliers/ and supplier-registration endpoints to detect unauthorized access patterns. Note that frontend-only restrictions are insufficient - attackers can bypass them with direct API calls. Review access logs for the vulnerable endpoints to identify potential historical exploitation before patch deployment. Organizations unable to patch immediately should consider temporarily disabling supplier registration functionality if business operations permit, though this significantly impacts procurement workflows.

Share

EUVD-2026-24746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy