Description
A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Improper Authorization
Action: Apply Patch
AI Analysis

Impact

A flaw in WuKongOpenSource WukongCRM’s URL Handler, specifically PermissionServiceImpl.java, allows an attacker to manipulate requests and bypass normal authorization checks. The vulnerability can be triggered remotely, giving the attacker the ability to access protected URLs that should be restricted. Consequently, sensitive data could be disclosed or further compromised, depending on the privileges granted by the accessed endpoints. The CVSS score of 5.3 reflects a moderate severity because the compromised data or services may be of importance to the affected organization.

Affected Systems

The issue exists in all instances of WuKongOpenSource WukongCRM up to and including release 11.3.3. Applications that include the gateway component and use the PermissionServiceImpl module are affected. No other vendors or product versions are listed; therefore, all deployments of the specified version range should be reviewed.

Risk and Exploitability

With an estimated EPSS of less than one percent and no listing in the KEV catalog, the likelihood of widespread exploitation remains low at present. However, the fact that a public exploit has been released indicates that attackers could soon target vulnerable installations. The attack is likely performed over the web, requiring remote manipulation of URL requests without needing authenticated access. Organizations should consider this a moderate risk until a patch is applied or a mitigative configuration change is made.

Generated by OpenCVE AI on April 17, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WukongCRM to a version newer than 11.3.3 once an official patch is released by the vendor.
  • Enforce network or application‑level access controls (e.g., firewall rules, WAF) to limit exposure of the affected URL endpoints to trusted IP ranges.
  • Configure the application to remove or restrict unnecessary user permissions so that even if an authorization bypass occurs, the potential damage is minimized.
  • Monitor web server and application logs for anomalous access patterns or repeated attempts to reach protected URLs to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared 5kcrm
5kcrm wukongcrm
Weaknesses CWE-863
CPEs cpe:2.3:a:5kcrm:wukongcrm:*:*:*:*:java:*:*:*
Vendors & Products 5kcrm
5kcrm wukongcrm

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wukongopensource
Wukongopensource wukongcrm
Vendors & Products Wukongopensource
Wukongopensource wukongcrm

Sun, 08 Feb 2026 08:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

5kcrm Wukongcrm
Wukongopensource Wukongcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:39:32.564Z

Reserved: 2026-02-06T21:06:36.285Z

Link: CVE-2026-2141

cve-icon Vulnrichment

Updated: 2026-02-10T21:17:20.017Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T08:15:52.230

Modified: 2026-03-05T21:21:45.583

Link: CVE-2026-2141

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:00:11Z

Weaknesses