Skip to main content

GisLab LMS EUVDEUVD-2026-45204

| CVE-2026-11763 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 TR-CERT GHSA-7grq-v3mc-cv46
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (TR-CERT) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable IDOR requiring only an authenticated low-privilege session; confidentiality-only impact with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 17, 2026 - 16:48 vuln.today

DescriptionNVD

Authorization bypass through User-Controlled key vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows Exploitation of Trusted Identifiers.

This issue affects GisLab Laboratory Management System: from 1.4.03 through 08072026.

AnalysisAI

Authorization bypass in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows an authenticated low-privileged user to access confidential data belonging to other users by manipulating user-controlled identifier keys in requests. The flaw (CWE-639, IDOR class) exposes high-confidentiality data without requiring elevated privileges or user interaction, over the network. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege account
Delivery
Authenticate to GisLab LMS over network
Exploit
Identify user-controlled record key in request
Execution
Substitute key with another user's identifier
Impact
Server returns unauthorized confidential record

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account in the GisLab Laboratory Management System (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is backed by a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network-reachable, low-complexity exploit requiring only a standard authenticated session - no elevated privileges and no victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privileged account in GisLab Laboratory Management System crafts HTTP requests substituting another user's record identifier in a parameter (e.g., changing a user ID or sample ID in a URL or POST body). Because the server authorizes based on the caller-supplied key rather than validating session ownership, the response returns the targeted user's confidential laboratory records. …
Remediation Consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0573 for vendor-released patch guidance, as an exact fixed version was not independently confirmed in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy