Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd. Co. Turboard FOR-S allows Privilege Escalation.
This issue affects Turboard FOR-S: from 7.01.2026 before 18.02.2026.
AnalysisAI
Privilege escalation in Turboard FOR-S allows remote unauthenticated attackers to gain elevated access by exploiting incorrect authorization checks, requiring only user interaction. The vulnerability affects versions 7.01.2026 through 17.02.2026, with fix available in version 18.02.2026. Turkish national CERT (TR-CERT) reported this authorization bypass vulnerability (CWE-863), which enables attackers to compromise confidentiality, integrity, and availability of the affected business intelligence platform.
Technical ContextAI
This vulnerability stems from CWE-863 (Incorrect Authorization), indicating the application fails to properly verify user permissions before granting access to privileged functions or resources. Turboard FOR-S is a business intelligence and data visualization platform from Turkish vendor E-Kalite. The flaw allows attackers to bypass authorization controls and escalate privileges despite lacking proper credentials. The CVSS vector indicates network-accessible exploitation with low attack complexity but requiring user interaction (AV:N/AC:L/PR:N/UI:R), suggesting the attack likely involves social engineering to trick a legitimate user into triggering the authorization bypass, such as clicking a malicious link or opening a crafted document that exploits the authorization flaw.
RemediationAI
Upgrade Turboard FOR-S to version 18.02.2026 or later immediately, as confirmed by TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0224. If immediate patching is not feasible, implement compensating controls: restrict network access to Turboard FOR-S to trusted IP ranges via firewall rules (eliminates AV:N vector but impacts legitimate remote users), deploy web application firewall with rules to detect authorization bypass attempts (may generate false positives requiring tuning), enforce multi-factor authentication for all user accounts (does not prevent privilege escalation but limits initial access), and implement heightened security awareness training specifically warning users against clicking untrusted links to Turboard dashboards (reduces UI:R success rate but relies on human behavior). These workarounds provide defense-in-depth but do not eliminate the underlying authorization flaw - patching remains the only complete remediation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29446
GHSA-vgx7-w2gw-273j