Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Adjacent-network reachable, no auth or interaction, low complexity, and missing ACL on a critical function yields full C/I/A impact.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects CafePlus: from 12.05.03 before 12.05.04.
AnalysisAI
Missing authentication in AKIN Software's CafePlus versions 12.05.03 through 12.05.04 allows adjacent-network attackers to access privileged functionality without credentials. The flaw enables full compromise of confidentiality, integrity, and availability over an adjacent network vector, with no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be on a network adjacent to the CafePlus server (AV:A) - typically the same LAN, VLAN, or Wi-Fi segment as the POS deployment - and the target must be running CafePlus version 12.05.03. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is meaningful but bounded by the adjacent-network attack vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who joins the same local network as a CafePlus server - for example, by connecting to a cafe's guest Wi-Fi - sends a request to a critical CafePlus function that fails to enforce authentication, gaining the ability to read or alter transactional data, inject commands, or disrupt service. No special tooling or credentials are required and the attack complexity is low, though no public exploit code is identified at time of analysis. |
| Remediation | Upgrade CafePlus to version 12.05.04 or later, which the advisory metadata indicates is the fixed release; confirm availability and patch notes via the vendor through the TR-CERT bulletin at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0428. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running CafePlus 12.05.03-12.05.04; implement immediate network segmentation and firewall rules to restrict adjacent network access to these systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38426
GHSA-72hx-6mcj-jmr2