Description
A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw lies in the role argument handling of the user registration endpoint in SourceCodester Inventory Management System. By sending a crafted value for the role parameter, an unauthenticated or low‑privileged client can override the intended permissions, resulting in improper access control. The vulnerability allows an attacker to elevate their privileges to those of a higher‑level role, undermining the integrity and confidentiality of the system’s data. The CVE description explicitly notes that remote exploitation is possible and that public proof‑of‑concept code is available.

Affected Systems

This issue affects SourceCodester Inventory Management System version 1.0, specifically the /api/users_handler.php component that manages user registration. No other product versions or vendors were listed as affected.

Risk and Exploitability

The flaw receives a CVSS score of 6.9, indicating a high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request to the API endpoint, where the attacker includes a manipulated role parameter. Given the public availability of an exploit, the risk is significant for organizations running this version without a fix.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SourceCodester Inventory Management System release when a vendor patch becomes available.
  • Revise the /api/users_handler.php code to enforce a strict whitelist of permissible role values and reject any unauthorized assignments.
  • Implement server‑side role‑based access control for all endpoints that modify user roles, ensuring that only administrators can grant privileged roles.
  • Consider adding input validation or middleware to block unexpected role values or malformed requests.
  • If a patch is not immediately available, restrict new user registrations to administrative approval or temporarily disable role assignment via the public API until the vulnerability is resolved.

Generated by OpenCVE AI on June 29, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/users_handler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title SourceCodester Inventory Management System User Registration Endpoint users_handler.php access control
First Time appeared Sourcecodester
Sourcecodester inventory Management System
Weaknesses CWE-266
CWE-284
CPEs cpe:2.3:a:sourcecodester:inventory_management_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester inventory Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Inventory Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:45:07.960Z

Reserved: 2026-06-28T18:22:52.356Z

Link: CVE-2026-13568

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-284

    Improper Access Control