Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.
This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
AnalysisAI
Remote authenticated attackers can bypass authorization controls in MeWare PDKS through user-controlled key manipulation, enabling privilege escalation to access and modify sensitive data without proper permissions. Affecting PDKS versions from V16.20200313 to VMYR_3.5.2025117, this vulnerability allows low-privileged users to abuse authorization mechanisms via network access without user interaction. No confirmed active exploitation or public exploit code identified at time of analysis, with EPSS data unavailable for risk quantification.
Technical ContextAI
The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application uses client-controlled parameters or keys to determine access rights rather than validating authorization server-side. In the MeWare PDKS (Personnel Tracking System) application, attackers can manipulate user-controlled identifiers or session keys to access resources or functions outside their assigned privilege level. The CVSS vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L), requiring only basic authentication (PR:L). The unchanged scope (S:U) suggests the vulnerability remains within the PDKS application boundary but enables high confidentiality and integrity impact (C:H/I:H) without affecting availability.
RemediationAI
Organizations running affected PDKS versions should immediately upgrade to version VMYR_3.5.2025117 or later, which addresses the authorization bypass vulnerability according to the version advisory data. Consult the TR-CERT advisory at https://www.usom.gov.tr/bildirim/tr-26-0141 for vendor-specific upgrade instructions and potential prerequisites. Until patching is completed, implement interim compensating controls: restrict PDKS network access to trusted IP ranges or VPN-only connections to reduce attack surface; enable comprehensive audit logging of all authorization decisions and privilege escalations to detect abuse attempts; review and minimize user privilege assignments following least-privilege principles, particularly for accounts that can access personnel or sensitive HR data; implement application-layer monitoring to detect anomalous access patterns such as low-privileged users accessing administrative functions or lateral movement across user contexts. Note that restricting network access reduces but does not eliminate risk from authenticated insiders. These workarounds should be considered temporary measures only, as the underlying authorization flaw remains exploitable by any authenticated user until patched.
Remote authenticated attackers can flood PDKS (Personnel and Document Tracking System) through uncontrolled interaction
Authenticated remote attackers can access sensitive personal information in MeWare PDKS versions 16.20200313 through bef
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26371