Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor, Exposure of private personal information to an unauthorized actor vulnerability in MeWare Software Development Inc. PDKS allows Excavation.
This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
AnalysisAI
Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through before VMYR_3.5.2025117 due to improper access controls. The vulnerability allows disclosure of private data without authorization, affecting confidentiality. CVSS score of 6.5 reflects moderate severity with network accessibility and low attack complexity, though authentication is required. No active exploitation or public proof-of-concept has been confirmed at time of analysis.
Technical ContextAI
MeWare PDKS (likely referring to a Product Data or Digital Knowledge System) implements insufficient authorization controls over sensitive personal information resources. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates the application fails to properly restrict access to data that should only be accessible to specific users or roles. The vulnerability manifests at the network layer (AV:N) with low attack complexity, suggesting the flaw is inherent to the application logic rather than requiring specific environmental conditions. The low privilege requirement (PR:L) indicates an authenticated user with minimal permissions can trigger disclosure, suggesting the root cause is inadequate role-based or attribute-based access control validation.
RemediationAI
Upgrade MeWare PDKS to version VMYR_3.5.2025117 or later immediately to address the authorization bypass. This patch version includes corrected access control logic to prevent unauthorized data disclosure. Pending patch deployment, restrict network access to PDKS instances using firewall rules to limit authentication attempts to trusted IP ranges, and enforce multi-factor authentication for user accounts with data access privileges to increase the privilege barrier (PR:L becomes harder to satisfy). Review and audit user access logs in affected systems to identify whether the vulnerability has been exploited to access sensitive personal information, enabling timely notification if required. Contact MeWare Software Development Inc. support at the TR-CERT reporting channel (https://www.usom.gov.tr/bildirim/tr-26-0141) for confirmation of patch availability and deployment guidance specific to your deployment configuration.
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26370