Description
An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.
Published: 2026-05-12
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MK-Auth version 23.01K4.9 contains an arbitrary file upload flaw that lets an attacker place a PHP file on the server and have it executed. The vulnerability arises because uploaded files are stored without type validation or execution restrictions, enabling the attacker to run arbitrary code on the host. Such code execution could compromise system confidentiality, integrity, and availability for any user who can access the upload functionality.

Affected Systems

The flaw affects the MK-Auth application, specifically the 23.01K4.9 release. No additional versions or vendors are listed in the CVE record. Administrators of systems running this release should verify the exact deployment and identify any active upload endpoints.

Risk and Exploitability

The vulnerability is highly exploitable for an attacker with network access to the MK-Auth instance. As the upload interface is likely exposed over HTTP, the attack vector is remote. A CVSS score of 8 indicates high severity, and the presence of RCE and lack of mitigation compound the risk. The EPSS score is below 1%, suggesting low exploitation probability so far, and the issue is not listed in CISA’s KEV catalog. If the upload directory is reachable, an attacker can proceed without authentication or with minimal credentials, making exploitation straightforward.

Generated by OpenCVE AI on May 13, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch or upgrade to a version of MK-Auth that includes proper file type validation and prohibits execution of uploaded PHP files.
  • Move the upload directory outside the web root or disable script execution in that directory via web‑server configuration.
  • Restrict allowed file types to non‑executable formats (e.g., images, documents) and enforce MIME‑type checks before storage.
  • If an upgrade is not possible, treat the upload function as a potential command‑injection point and block access until mitigated.

Generated by OpenCVE AI on May 13, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mk-auth
Mk-auth mk-auth
Vendors & Products Mk-auth
Mk-auth mk-auth

Wed, 13 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload Enables Remote Code Execution in MK-Auth 23.01K4.9

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload in MK‑Auth Allowing Remote Code Execution
Weaknesses CWE-20

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload in MK‑Auth Allowing Remote Code Execution
Weaknesses CWE-20
CWE-434

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.
References

Subscriptions

Mk-auth Mk-auth
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:34:30.232Z

Reserved: 2023-03-05T00:00:00.000Z

Link: CVE-2023-27753

cve-icon Vulnrichment

Updated: 2026-05-13T13:34:20.651Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T16:16:11.200

Modified: 2026-05-13T15:48:11.537

Link: CVE-2023-27753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:36Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type