Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.
AnalysisAI
Authorization bypass in Kurt Software Studio WriteUp Mobile App versions 1.3.0 through 04062026 allows authenticated users to access functionality outside their permitted scope, leading to high confidentiality, integrity, and availability impact. The flaw, reported by Turkey's national CERT (TR-CERT), stems from missing ACL enforcement on application functions reachable over the network with low privileges. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-284 (Improper Access Control) / Missing Authorization defect in the WriteUp mobile application stack, identified by CPE cpe:2.3:a:kurt_software_studio:writeup_mobile_app. Mobile apps of this class typically front a backend API that must enforce per-user or per-role authorization on every endpoint; this CVE indicates the application exposes one or more functions that perform privileged actions without verifying that the requesting principal is entitled to invoke them. Because the CVSS scope is Unchanged but confidentiality, integrity, and availability are all High, the missing checks likely guard operations that read, modify, or destroy data belonging to other users within the same application boundary.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data; consult the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0310 for the current fix release from Kurt Software Studio and upgrade beyond the 04062026 build once published. Until a fixed version is available, compensating controls should focus on the server-side API rather than the mobile client: enforce per-object authorization checks at the API gateway or backend, restrict sensitive endpoints to trusted networks or VPN access (accepting that this breaks general mobile use), revoke or rotate session tokens for any account suspected of probing other users' resources, and add detection rules for users issuing requests with IDs or references they do not own. Disabling the mobile app entirely is the only client-side mitigation and will block legitimate use, so it is only appropriate for high-sensitivity tenants.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34283
GHSA-q2v7-xv64-8j7v