Description
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
Published: 2026-01-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper access control flaw that allows any authenticated user to supply any user_id to backend API endpoints in D-Link D-View 8. This results in disclosure of sensitive credential data belonging to other users, including super administrators. The exposed credentials can be reused as valid authentication secrets, enabling full impersonation of the target account and complete administrative control over the system.

Affected Systems

D-Link D-View 8 versions 2.0.1.107 and earlier are affected.

Risk and Exploitability

The flaw has a CVSS score of 8.7, indicating high severity. The EPSS score is below 1%, suggesting low public exploit probability at present, and the vulnerability is not listed in CISA’s KEV catalog. If an attacker has valid authentication to the system, the flaw can be exploited locally to retrieve credentials for any user via the API, leading to immediate account takeover and unrestricted system access.

Generated by OpenCVE AI on April 18, 2026 at 04:12 UTC.

Remediation

Vendor Solution

Upgrade to D-Link D-View 8 version 2.0.5.109 Beta or later.

OpenCVE Recommended Actions

  • Upgrade to D-Link D-View 8 version 2.0.5.109 Beta or later.
  • Restrict access to the vulnerable backend API endpoints to administrators only, or disable those endpoints if not needed.
  • Implement continuous monitoring of authentication logs for suspicious credential usage and enforce rate limiting on API calls.

Generated by OpenCVE AI on April 18, 2026 at 04:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dlink:d-view_8:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink d-view 8
Vendors & Products Dlink
Dlink d-view 8

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
Title D-Link D-View 8 IDOR Allows Credential Disclosure and Account Takeover
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dlink D-view 8
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:21.783Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23754

cve-icon Vulnrichment

Updated: 2026-01-22T15:11:06.120Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T18:16:25.370

Modified: 2026-01-30T21:30:51.903

Link: CVE-2026-23754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses