Description
A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via unauthorized role deletion
Action: Assess Impact
AI Analysis

Impact

An unauthorized deletion of user roles is possible due to missing authorization checks in the deleteRole method of RoleController. This flaw allows any user able to reach the endpoint, whether authenticated or not, to remove roles from the system. Based on the description, it is inferred that the attacker can launch the attack remotely, indicating a remote attack vector. Removing a role can strip privileged accounts of permissions or enable the attacker to create or modify privileges, thereby facilitating privilege escalation. The weakness is a classic example of improper authorization and corresponds to the identified CWE categories.

Affected Systems

All releases of yeqifu warehouse are affected, as the product does not use versioning and the issue resides in the RoleController code. The repository identifier aaf29962ba407d22d991781de28796ee7b4670e4 indicates that every current version contains this flaw.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability rates as medium severity. An EPSS value of less than 1% signals a very low probability of exploitation, and the issue is not listed in CISA’s KEV catalog. Nevertheless, because the flaw permits remote role deletion, it could be leveraged for privilege escalation by an attacker who manages to trigger the deletion. This combination of medium severity and low exploitation probability suggests that management should prioritize assessment and mitigation in line with their risk tolerance.

Generated by OpenCVE AI on April 18, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the role deletion endpoint so that only users with administrative rights can initiate deletions.
  • Verify that the application enforces proper authentication and authorization checks before executing role deletions; add missing checks or refactor the RoleController to include them.
  • Monitor application logs for unexpected role deletion events and investigate anomalies to detect potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Role Management RoleController.java deleteRole improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:30:07.009Z

Reserved: 2026-02-06T07:57:14.674Z

Link: CVE-2026-2077

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:49.994Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T08:15:50.997

Modified: 2026-02-10T15:14:34.640

Link: CVE-2026-2077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses