Description
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
Published: 2026-02-13
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an IDOR that permits an attacker with a user-controlled key to bypass authorization checks and gain access to data or functions that should be restricted. This can result in unauthorised disclosure, modification of trusted identifiers, or other privileged operations, directly compromising the confidentiality and integrity of the application. Based on the description, it is inferred that the attacker must craft requests containing a trusted identifier to exploit the bypass.

Affected Systems

This issue affects Universal Software Inc.’s FlexCity/Kiosk product versions before 1.0.36. Exposed trust in user-controlled identifiers allows exploitation across any installation running those earlier releases.

Risk and Exploitability

The flaw carries a CVSS score of 8.3 and an EPSS score below 1 %, indicating low current exploitation probability. It is not listed in KEV, suggesting no widespread, known active exploitation. An attacker can carry out the attack by crafting requests that include a trusted identifier; the vulnerability exploits improper reference validation, classified as CWE‑639. Based on the description, it is inferred that the likely attack vector involves sending crafted HTTP requests with a user-controlled trusted identifier.

Generated by OpenCVE AI on April 18, 2026 at 12:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlexCity/Kiosk to version 1.0.36 or later to remove the unchecked reference handling.
  • Validate any user-supplied identifier against a whitelist of legitimate values and reject requests that do not match an approved set.
  • Restrict network and role access to the API or UI components that expose trusted identifiers, ensuring that only users with the appropriate privileges can request or modify them.
  • Monitor logs for unusual usage of trusted identifiers and set alerts for repeated or suspicious request patterns.

Generated by OpenCVE AI on April 18, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Uni-yaz
Uni-yaz flexcity
CPEs cpe:2.3:a:uni-yaz:flexcity:*:*:*:*:*:*:*:*
Vendors & Products Uni-yaz
Uni-yaz flexcity

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Universal Software Inc.
Universal Software Inc. flexcity/kiosk
Vendors & Products Universal Software Inc.
Universal Software Inc. flexcity/kiosk

Fri, 13 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers.This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36.
Title IDOR in Universal Sotware's FlexCity/Kiosk
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Uni-yaz Flexcity
Universal Software Inc. Flexcity/kiosk
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-02-13T16:59:48.958Z

Reserved: 2026-01-29T14:06:14.343Z

Link: CVE-2026-1619

cve-icon Vulnrichment

Updated: 2026-02-13T16:59:44.470Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T14:16:10.067

Modified: 2026-03-02T13:38:01.157

Link: CVE-2026-1619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses