Description
A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized permission deletion due to improper authorization checks
Action: Immediate Patch
AI Analysis

Impact

PermissionController in the Warehouse application lacks proper authorization enforcement for addPermission, updatePermission, and deletePermission functions. An attacker can invoke deletePermission without being verified against a permission store, thereby erasing critical access controls. This flaw falls under improper authorization (CWE-266, CWE-285) and can lead to the loss of legitimate access rights and potential privilege escalation or denial of service for authorized users.

Affected Systems

All releases of the yeqifu Warehouse application that include the code before commit aaf29962ba407d22d991781de28796ee7b4670e4 are affected. Because the project follows a rolling release model, no specific version numbers are published for fixes, so any deployed instance that has not applied a newer commit is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests the attack is unlikely to be widely executed at this time. The vulnerability can be triggered remotely, and exploit code is publicly available. The flaw is not listed in the CISA KEV catalog, implying that it has not yet seen widespread exploitation. However, the lack of a strict authorization check on a privileged endpoint makes it an appealing target for attackers who can delete or manipulate permissions, potentially facilitating further escalation or disruption if the application is exposed to untrusted networks.

Generated by OpenCVE AI on April 18, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the latest commit or any version that includes the fix when the vendor releases it; if no update is available, replace the deletePermission method with a version that verifies the caller’s role or permissions before deleting.
  • Configure network or application firewall rules to restrict access to the permission management API endpoints to trusted, authenticated users only.
  • Conduct a review audit of all permission‑related endpoints to confirm that every operation performs an explicit role or permission check before execution.

Generated by OpenCVE AI on April 18, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:30:20.645Z

Reserved: 2026-02-06T07:57:17.656Z

Link: CVE-2026-2078

cve-icon Vulnrichment

Updated: 2026-02-10T15:35:34.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T08:15:51.830

Modified: 2026-02-10T15:14:12.653

Link: CVE-2026-2078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses