Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers.
This issue affects BAPSİS: before v.202604152042.
AnalysisAI
Authorization bypass in BAPSİS web application enables unauthenticated remote attackers to exploit trusted identifiers through user-controlled keys when victims interact with crafted requests. ABIS Technology's BAPSİS platform (versions before v.202604152042) contains a CWE-639 flaw where authorization checks rely on client-controlled key values, allowing attackers to manipulate trust relationships and gain unauthorized access with high impact to confidentiality, integrity, and availability. TR-CERT published advisory but no public exploit code identified at time of analysis, with CVSS 8.8 reflecting network-exploitable attack requiring only user interaction.
Technical ContextAI
This vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), a design flaw where the application uses attacker-controllable input to determine authorization decisions. In BAPSİS, the system appears to rely on user-supplied identifiers or keys (such as session tokens, user IDs, or reference parameters) to establish trust relationships without proper server-side validation. The CPE identifier (cpe:2.3:a:abis_technology_ltd._co.:bapsi̇s) indicates this affects ABIS Technology's proprietary BAPSİS platform, likely a business application or management system. The CVSS vector's Network attack vector (AV:N) and Low complexity (AC:L) indicate the vulnerability is exploitable through standard web protocols without requiring specialized conditions, while the High ratings across Confidentiality, Integrity, and Availability (C:H/I:H/A:H) suggest the flaw allows complete compromise of authorization boundaries once exploited.
RemediationAI
Upgrade BAPSİS to version 202604152042 or later immediately, as confirmed by TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0223. The version string format (YYYYMMDDHHMM) indicates this is a timestamp-based release from April 15, 2026, 20:42 UTC. If immediate patching is not feasible, implement compensating controls: (1) Deploy web application firewall rules to validate and sanitize all user-supplied identifiers and keys used in authorization decisions, though this may break legitimate application functionality if key formats are not well-documented; (2) Restrict BAPSİS access to trusted internal networks only via firewall rules or VPN requirement, eliminating the network attack vector but impacting remote users; (3) Implement mandatory multi-factor authentication at the infrastructure layer (reverse proxy, VPN) to add authentication barriers despite the application-level bypass, adding operational overhead but reducing exploitation risk. Monitor application logs for anomalous authorization patterns, such as rapid privilege escalation or access to resources without corresponding authentication events. All workarounds are temporary - the authorization logic flaw requires code-level fixes only available in the patched version.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29442
GHSA-q4cr-cjq5-h3m4