Description
Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects CafePlus: from 12.05.03 before 12.05.04.
Published: 2026-06-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing authentication mechanisms for a critical function in CafePlus, allowing attackers to access functionality that should be secured by access control lists. Without proper authentication, malicious users can invoke privileged operations, potentially leading to remote code execution. This weakness is classified as CWE-306, missing authentication.

Affected Systems

AKIN Software Computer Import Export Industry and Trade Ltd. produces CafePlus. Versions ranging from 12.05.03 up to, but not including, 12.05.04 are impacted. Users running these versions are susceptible unless they restrict exposure or apply a patch.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and while an EPSS score is not available, the lack of a KEV listing suggests no confirmed exploits yet. Nevertheless, the missing authentication implies that once the web interface or API is reachable, an attacker can execute the vulnerable function without needing valid credentials. Attackers could automate requests to the exposed endpoint to gain arbitrary code execution on the host.

Generated by OpenCVE AI on June 23, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to CafePlus 12.05.04 or later where the authentication check has been restored.
  • If an upgrade is not immediately possible, restrict access to the CafePlus service so that only trusted internal hosts can reach it, effectively blocking unauthenticated external access.
  • Disable or isolate the vulnerable functionality until a patch is applied, or reconfigure the application to require authentication for all protected operations.

Generated by OpenCVE AI on June 23, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Akin
Akin cafeplus
Vendors & Products Akin
Akin cafeplus

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CafePlus: from 12.05.03 before 12.05.04.
Title RCE in Akınsoft's CafePlus
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Akin Cafeplus
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-23T13:40:06.835Z

Reserved: 2026-06-02T18:23:11.848Z

Link: CVE-2026-10711

cve-icon Vulnrichment

Updated: 2026-06-23T13:39:57.834Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:03:07Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function