Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Improper access controls in 1024-lab smart-admin up to version 3.30.0 allow remote unauthenticated attackers to gain unauthorized access to the Druid demo interface at /smart-admin-api/druid/index.html, potentially exposing sensitive data or administrative functionality. The vulnerability has a publicly available proof of concept and a CVSS score of 5.5 (low confidentiality/integrity impact), though the vendor has not yet acknowledged or patched the issue despite early notification.
Technical ContextAI
The vulnerability exists in the Druid component's web interface, specifically the /smart-admin-api/druid/index.html endpoint. The underlying issue is classified as CWE-284 (Improper Access Control), indicating that the application fails to properly enforce authorization checks on this resource. Smart-admin is a Java-based administrative dashboard framework; the Druid integration provides SQL query execution and monitoring capabilities. The absence of proper authentication or authorization validation on this endpoint allows network-accessible exploitation without requiring valid credentials. This is a common issue in demo or development interfaces that are accidentally exposed in production environments or left unsecured by default configuration.
RemediationAI
No vendor-released patch is available at this time; the 1024-lab team has not yet responded to the vulnerability report. Immediate mitigation requires restricting access to the /smart-admin-api/druid/ endpoint at the network or web server level. Apply strict authentication and authorization controls: block this path from public internet access using firewall rules or web application firewall (WAF) rules that require authentication before allowing access to any /smart-admin-api/* path. If Druid functionality is required, place the application behind a VPN or access control proxy and enable authentication on the endpoint itself by modifying the application configuration. As a temporary measure, disable or remove the Druid demo interface entirely if it is not required for production use. Monitor the official GitHub repository (https://github.com/1024-lab/smart-admin/) for a security patch release. Do not rely on obscurity or IP-based filtering as the sole mitigation, as the public exploit code lowers the barrier to discovery. If upgrading is possible, await a patched version beyond 3.30.0, though no timeline has been announced.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26305