Description
Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2.
Published: 2026-03-25
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

An authorization bypass flaw in HYPR Server allows an attacker to gain higher privileges on the system. The vulnerability stems from a user‑controlled key that is improperly validated, enabling privilege escalation when an attacker supplies a crafted request. The weakness aligns with CWE‑639, which concerns improper authorization checks. The impact is the ability for an attacker to execute actions typically reserved for higher‑privileged users, potentially compromising data integrity and system control.

Affected Systems

HYPR Server installations between versions 9.5.2 and before 10.7.2 are affected. Users running any release in this range should verify whether their deployment includes the vulnerable implementation of the user‑controlled key mechanism.

Risk and Exploitability

The CVSS score of 5.6 denotes a moderate risk level. The EPSS score of less than 1% suggests that exploitation in the wild is currently infrequent, and the vulnerability is not listed in the CISA KEV catalog. Based on the vulnerability description, the likely attack vector involves remotely sending a request that includes a user‑controlled key, implying that network access to the server’s API or web interface facilitates exploitation. This inference is made from the nature of the control flow described; the CVE entry does not detail the attack surface explicitly.

Generated by OpenCVE AI on April 2, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HYPR Server to version 10.7.2 or later
  • Verify that the upgrade removes the user‑controlled key handling flaw
  • Restrict network access to the server and monitor for anomalous request patterns while awaiting an update
  • Contact HYPR support for assistance if an upgrade cannot be performed immediately

Generated by OpenCVE AI on April 2, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in HYPR Server Enabling Privilege Escalation

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Hypr hypr
CPEs cpe:2.3:a:hypr:hypr:*:*:*:*:*:*:*:*
Vendors & Products Hypr hypr
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hypr
Hypr server
Vendors & Products Hypr
Hypr server

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in HYPR Server Enabling Privilege Escalation

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in HYPR Server allows Privilege Escalation.This issue affects Server: from 9.5.2 before 10.7.2.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U'}

Subscriptions

Hypr Hypr Server
cve-icon MITRE

Status: PUBLISHED

Assigner: HYPR

Published:

Updated: 2026-03-27T14:56:17.171Z

Reserved: 2026-02-12T16:57:17.576Z

Link: CVE-2026-2414

cve-icon Vulnrichment

Updated: 2026-03-27T14:56:14.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:57.490

Modified: 2026-04-01T15:39:26.260

Link: CVE-2026-2414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:07Z

Weaknesses