Skip to main content

SOPlanning EUVDEUVD-2026-33609

| CVE-2026-40543 HIGH
Missing Authorization (CWE-862)
2026-06-01 cvd@cert.pl GHSA-jrvc-354g-rfch
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 09:31 vuln.today

DescriptionCVE.org

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.

This issue affects SOPlanning version 1.55 and below.

AnalysisAI

Unauthenticated information disclosure in SOPlanning version 1.55 and below allows remote attackers to download backup archives and configuration files directly from backup endpoints without any authentication, exposing the user database with password hashes and sensitive configuration data. The CVSS 4.0 score of 8.8 reflects high confidentiality impact over the network with no privileges or user interaction required, and no public exploit identified at time of analysis. Disclosure was coordinated through CERT.PL, indicating a vetted advisory rather than opportunistic discovery.

Technical ContextAI

SOPlanning is an open-source PHP-based online project planning and scheduling tool used by organizations to coordinate teams and resources. The flaw is classified as CWE-862 (Missing Authorization), meaning backup-related HTTP endpoints perform their sensitive functions (generating and serving database/config dumps) without checking whether the requesting session belongs to an authenticated administrator. The exposed artifacts include the user database (with stored password hashes that can be subjected to offline cracking) and config.csv, which typically holds SMTP credentials, database connection details, and other deployment secrets specific to SOPlanning installations.

RemediationAI

Patch status: no vendor-released patch version was identified in the input data at time of analysis, so administrators should consult the CERT.PL advisory at https://cert.pl/en/posts/2026/06/CVE-2026-40543 and the vendor site https://www.soplanning.org/en/ for the fixed release once published and upgrade beyond 1.55 as soon as it is available. As compensating controls until a patched build is deployed, restrict network access to the SOPlanning instance to trusted internal networks or place it behind an authenticating reverse proxy or VPN so the backup endpoints cannot be reached anonymously (trade-off: legitimate remote users will also need VPN/SSO), block the specific backup URL paths identified in the CERT.PL writeup at the web server or WAF layer (trade-off: administrators lose the in-app backup workflow and must run backups out-of-band), and rotate all credentials stored in config.csv plus force password resets for all SOPlanning user accounts since hashes may already have been exfiltrated.

Share

EUVD-2026-33609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy