Description
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper authorization allowing unauthorized deletion of users
Action: Assess Impact
AI Analysis

Impact

A weakness was discovered in the User Management Endpoint of the Yeqifu Warehouse application, specifically within the deleteUser function of UserController.java. The flaw permits an attacker to bypass authorization checks and delete arbitrary user accounts. The vulnerability is a classic case of improper or missing access control (CWE-266) combined with authorization errors (CWE-285). The impact is the loss of legitimate user accounts and potential disruption of services, as deleted users can no longer access the system and may lead to data integrity issues if those accounts held permissions or data. No confidentiality breach is described, but the loss of user identities can have cascading effects on business processes.

Affected Systems

The bug affects the Yeqifu Warehouse product, as released in any version up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The software library does not provide a clear version number for the affected or patched releases. Administrators should therefore treat all versions that have not reported a fix as vulnerable.

Risk and Exploitability

The CVSS v3 score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation probability is very low at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw remotely via the exposed deletion endpoint. Because no critical conditions are listed, the exploit does not require privileged access or local compromise; any entity that can reach the endpoint can attempt the deletion. The lack of an official patch means the risk persists until the developers respond and release a fix.

Generated by OpenCVE AI on April 18, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the developer’s repository or contact the Yeqifu Warehouse maintainers for a security fix or patch release.
  • If a patch is not available immediately, restrict access to the deleteUser endpoint to authorized administrative roles only, or temporarily disable the endpoint through configuration changes or firewall rules.
  • Implement logging and monitoring for deletion attempts to detect any unauthorized activity, and review user accounts regularly for unexpected removals.

Generated by OpenCVE AI on April 18, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:29:54.078Z

Reserved: 2026-02-06T07:57:10.089Z

Link: CVE-2026-2076

cve-icon Vulnrichment

Updated: 2026-02-10T15:28:29.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T07:15:46.630

Modified: 2026-02-10T15:14:59.553

Link: CVE-2026-2076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses