Description
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking.

This issue affects E-Commerce Website: before 4.5.001.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an IDOR (CWE-639) that enables an attacker to manipulate a user‑controlled key to bypass authorization checks in the Akilli Commerce E‑Commerce website. This bypass can force the application to treat an impersonated session as legitimate, permitting the attacker to access or modify data belonging to other users and potentially execute privileged actions if the impersonated user holds elevated rights.

Affected Systems

Akilli Commerce Software Technologies Ltd. Co.’s E‑Commerce Website is affected for all releases prior to version 4.5.001. The vulnerability applies to the web application layer, affecting every instance of the platform running those versions and leaving all client sessions exposed to hijacking.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, and the absence of an EPSS value indicates that the precise likelihood of exploitation is unknown but potentially high given the nature of IDOR flaws. The vulnerability is not yet in the CISA KEV catalog, but its severity warrants urgent attention. The likely attack vector is the manipulation of a user‑controlled identifier through HTTP parameters or session data, requiring the attacker to reach the vulnerable endpoint; a successful request can hijack any user’s session, offering full read or write access to that user’s data.

Generated by OpenCVE AI on May 14, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or limit access to the vulnerable endpoint or feature until a vendor patch becomes available.
  • Implement strict server‑side authorization checks that verify the resource identifier belongs to the authenticated user before granting access or performing actions.
  • Monitor web logs for anomalous access patterns and apply rate limiting or blocking for repeated attempts to manipulate identifiers, reducing the window for exploitation.

Generated by OpenCVE AI on May 14, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Akilli Commerce Software Technologies Ltd. Co.
Akilli Commerce Software Technologies Ltd. Co. e-commerce Website
Vendors & Products Akilli Commerce Software Technologies Ltd. Co.
Akilli Commerce Software Technologies Ltd. Co. e-commerce Website

Thu, 14 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001.
Title IDOR in Akıllı Ticaret's E-Commerce Pack
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Akilli Commerce Software Technologies Ltd. Co. E-commerce Website
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-06-08T13:59:14.431Z

Reserved: 2026-02-11T15:46:45.641Z

Link: CVE-2026-2347

cve-icon Vulnrichment

Updated: 2026-05-14T17:47:30.624Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T10:16:19.203

Modified: 2026-05-14T16:20:13.477

Link: CVE-2026-2347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T13:45:18Z

Weaknesses