Skip to main content

MicroRealEstate EUVDEUVD-2026-42004

| CVE-2026-57868 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-07 vdp@themissinglink.com.au GHSA-qjq2-685q-j8gv
7.1
CVSS 4.0 · Vendor: themissinglink
Share

Severity by source

Vendor (themissinglink) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable IDOR exploitable by any authenticated user (PR:L, AC:L), yielding unauthorized document disclosure only, so C:H with I:N/A:N and unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (themissinglink).

CVSS VectorVendor: themissinglink

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 06:34 vuln.today

DescriptionCVE.org

MicroRealEstate is affected by broken object-level access controls in PDF generator functionality.

This issue affects MicroRealEstate: through 1.0.0-alpha3.

AnalysisAI

Sensitive document disclosure in MicroRealEstate through 1.0.0-alpha3 lets an authenticated low-privilege user retrieve PDF documents belonging to other tenants or organizations by manipulating object identifiers passed to the PDF generator. Classified under CWE-639 (IDOR) and CVSS 4.0 7.1, the flaw exposes confidential data (VC:H) without requiring integrity or availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with valid low-privilege account
Delivery
Call PDF generator endpoint
Exploit
Substitute another tenant's document ID
Execution
Server skips ownership check
Persist
Retrieve unauthorized PDF
Impact
Exfiltrate confidential tenant data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated MicroRealEstate account (CVSS PR:L) on an instance where the PDF generator functionality is reachable, and the attacker must supply an object identifier (document/tenant/organization key) belonging to another principal - the specific feature required is the PDF document-generation endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity, low-privilege attack with no user interaction that yields high confidentiality impact and no integrity or availability impact - consistent with data theft via IDOR rather than system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege user of a shared MicroRealEstate instance logs in and requests a PDF document, then increments or substitutes the document/tenant identifier in the request to a value they do not own. Because the PDF generator does not verify object ownership, the server returns another tenant's lease, rent notice or receipt, disclosing personal and financial data. …
Remediation No vendor-released patch identified at time of analysis - the references point only to the upstream GitHub repository (https://github.com/microrealestate/microrealestate) and the reporter advisory (https://www.themissinglink.com.au/security-advisories/cve-2026-57868), with no tagged fixed release beyond 1.0.0-alpha3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MicroRealEstate deployments on version 1.0.0-alpha3 or earlier; review PDF export logs from January 2026 onward for sequential or anomalous document ID requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy