A flaw in the BookController of TaleLin’s lin‑cms‑spring‑boot application lets an attacker bypass the intended authorization checks used by the book endpoint. The exposure is an improper access control weakness that can allow a remote user to read or manipulate book data that should be protected by role‑based restrictions. The vulnerability is tied to the well‑known weaknesses of Authorization Bypass and Improper Access Control, as classified by CWE‑266 and CWE‑284.

The security issue affects any deployment of TaleLin lin‑cms‑spring‑boot versions up to and including 0.2.1. The flaw resides in the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java, which serves the public book API. No other versions or components are listed as impacted, and the vulnerability’s scope is confined to the book endpoint rather than extending to the entire application.

The CVSS score of 5.3 places this vulnerability in the moderate severity range. Currently the EPSS score is not available, and the issue is not yet catalogued by CISA as a known exploited vulnerability. Nonetheless, the description indicates that an exploit is publicly available and can be launched remotely, suggesting that attackers could target the vulnerable endpoint from outside the network. Because the flaw directly subverts authorization, the risk is that an attacker may gain unauthorized access to protected resources, potentially leaking sensitive data or modifying content. The absence of a fix in the current release means the vulnerability remains exploitable until the vendor releases a patch or otherwise mitigates the flaw.