Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Authenticated low-privilege remote user (PR:L, AV:N, AC:L) abusing an unprotected endpoint; the actual impact is license deactivation causing service outage, so A:H with C:N/I:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's license.
AnalysisAI
Privilege-boundary bypass in CAXperts UPVWebServices (2.4.2212.603-2.7.6) and the companion UDiTH Portal (2026.0.0-2026.2.0) lets any authenticated low-privilege user reach an administrative API endpoint that lacks an authorization check, enabling them to deactivate the application's license and disable the service. Rated CVSS 8.1 by the reporter, this is a broken-access-control (CWE-862) issue affecting engineering-portal deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session on UPVWebServices or the UDiTH Portal (CVSS PR:L confirms at least low-privilege authentication is needed - this is not an unauthenticated attack) plus network reachability to the API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A disgruntled employee or an attacker who has phished a single ordinary portal login authenticates to the UDiTH Portal, then sends a direct HTTP request to the administrative license API endpoint that the UI normally hides from non-admins. Because the server never checks the caller's role, the license is deactivated and the plant-viewer application stops serving users, producing a denial of service. … |
| Remediation | Consult the vendor advisory CAXSEC-2026-001 (https://github.com/caxperts/security-advisories/blob/main/2026/CAXSEC-2026-001_portal.md) and upgrade to a fixed release above UPVWebServices 2.7.6 / UDiTH Portal 2026.2.0; note that no vendor-released patched version number was provided in the available data, so confirm the exact fixed build directly with CAXperts before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all deployments of UPVWebServices (versions 2.4.2212.603-2.7.6) and UDiTH Portal (2026.0.0-2026.2.0); audit low-privilege user accounts and their access scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42496
GHSA-h5xf-rv7f-wv3m