Skip to main content

Liman MYS EUVDEUVD-2026-42033

| CVE-2026-11340 HIGH
Missing Authorization (CWE-862)
2026-07-07 TR-CERT GHSA-6xf8-9p5r-2vcr
8.3
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
8.3 HIGH

Network-reachable panel exploitable by an authenticated low-privileged user (PR:L) with no UI; missing ACLs yield high integrity/availability impact and limited confidentiality exposure.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 11:31 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Liman MYS: before release.Master.1107.

AnalysisAI

Privilege escalation and unauthorized functionality access in HAVELSAN Liman MYS (Yönetim Sistemi) before release.Master.1107 allows an authenticated low-privileged user to invoke functions that should be gated by access-control lists. Because certain endpoints fail to enforce authorization (CWE-862), a limited user can reach administrative or restricted operations, enabling significant integrity and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged Liman account
Delivery
Enumerate restricted admin endpoints
Exploit
Send request bypassing missing ACL check
Execution
Invoke privileged management function
Impact
Alter config or disrupt services

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on Liman MYS at a low privilege level (CVSS PR:L) with network access to the web management interface (AV:N); no user interaction and no elevated privileges are needed beyond that initial foothold. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H (base 8.3, High) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with high integrity and availability impact but only low confidentiality impact - consistent with a broken-access-control flaw where an authenticated user pivots to privileged actions rather than reading bulk secrets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a standard low-privileged Liman MYS account (for example, a limited operator or a compromised staff login) sends crafted requests directly to administrative or restricted endpoints that the UI would normally hide. Because the server does not enforce authorization on those functions, the attacker performs privileged operations - altering configuration or disrupting managed services - achieving high integrity and availability impact without any user interaction. …
Remediation Upgrade to Liman MYS release.Master.1107 or later, which is the vendor-fixed build per the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0504). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all HAVELSAN Liman MYS instances and document current versions; audit low-privilege user accounts and revoke unnecessary access to sensitive operations; establish detailed logging on all administrative function calls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy