Description
A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization
Action: Patch
AI Analysis

Impact

A vulnerability in the Log Info Handler of the yeqifu warehouse application allows remote actors to invoke the batchDeleteLoginfo endpoint without proper authorization checks. The flaw permits arbitrary removal of log records, undermining data integrity and audit trails. The weakness is classified under CWE‑266 and CWE‑285, indicating inadequate privilege management and authorization enforcement.

Affected Systems

The issue affects the yeqifu:warehouse component, specifically the LoginfoController.java integration that handles log deletion functions. Version information is unavailable because the project does not expose releases; therefore the vulnerability may be present in any deployed instance of this code base until a fix is applied.

Risk and Exploitability

The CVSS score of 5.3 marks this as a medium severity issue, and the EPSS score of less than 1% suggests a low current exploitation probability, yet the publicly available exploit means that an attacker could trigger the flaw remotely if the endpoint is reachable. Since the vulnerability directly bypasses authentication checks, successful exploitation results in unauthorized data deletion and potential denial of audit-related services. No indication that it appears in the KEV catalog means no confirmed widespread exploitation at this time, but the presence of the flaw warrants prompt patching or mitigation.

Generated by OpenCVE AI on April 17, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict use of batchDeleteLoginfo to privileged users only by implementing role‑based access checks in LoginfoController.
  • Disable or remove the batchDeleteLoginfo endpoint if the functionality is not required, reducing the attack surface.
  • Contact the yeqifu:warehouse maintainers or monitor project repositories for a security fix, and plan for immediate deployment when one becomes available.
  • As a temporary measure, add application‑level firewall rules or reverse‑proxy access controls to block unauthenticated or low‑privilege requests to the LoginfoController API.

Generated by OpenCVE AI on April 17, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Sat, 07 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:33:44.659Z

Reserved: 2026-02-06T14:16:03.665Z

Link: CVE-2026-2107

cve-icon Vulnrichment

Updated: 2026-02-10T16:01:29.987Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T19:15:46.413

Modified: 2026-02-10T15:12:51.920

Link: CVE-2026-2107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses