CVE-2026-2676 - Vulnerability Details

- GoogTech sms-ssm API LoginInterceptor.java preHandle improper authorization

Description

A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component API Interface. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

Published: 2026-02-18

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The weakness lies in the preHandle method of LoginInterceptor.java in GoogTech sms-ssm, allowing an attacker to bypass proper authorization checks. This flaw corresponds to the common weaknesses of improper privilege management and incorrect authentication, and lets a remote actor gain unauthorized access to protected API endpoints. The attacker can read, modify, or delete data that should be restricted, compromising confidentiality and integrity of the system.

Affected Systems

Affected is the GoogTech sms-ssm API interface component. All releases up to commit e8534c766fd13f5f94c01dab475d75f286918a8d are vulnerable. The product uses a rolling release model, so the exact version is not disclosed; the fix will appear in future releases.

Risk and Exploitability

CVSS score 5.3 indicates moderate severity, but EPSS is less than 1%, pointing to a low exploitation probability. The vulnerability is not catalogued in KEV, yet an exploit has been publicly released. The primary threat comes from remote actors targeting the API endpoints, potentially achieving unauthorized access. The risk remains until a patch is applied, though current exploitation likelihood is low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GoogTech

sms-ssm

affected

Version	Status	Constraints
`e8534c766fd13f5f94c01dab475d75f286918a8d`	affected	—

No data.

Vendor Product Confidence Versions

Googtech

Sms-ssm

100%

Version	Status	Scheme	Platform
`e8534c766fd13f5f94c01dab475d75f286918a8d`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor patch or update to a release that resolves the preHandle authorization issue.
If no patch is available yet, restrict network access to the API endpoints by using firewall rules or IP whitelisting to limit connections to trusted hosts.
Enable logging and actively monitor authentication logs for unusual access patterns, and alert on repeated failures or unauthorized bypass attempts.

Generated by OpenCVE AI on April 17, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/GoogTech/sms-ssm/
https://github.com/GoogTech/sms-ssm/issues/27
https://github.com/GoogTech/sms-ssm/issues/27#issue-3878817166
https://github.com/GoogTech/sms-ssm/issues/27#issuecomment-3828063958
https://vuldb.com/?ctiid.346469
https://vuldb.com/?id.346469
https://vuldb.com/?submit.749702

History

Thu, 19 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Googtech Googtech sms-ssm
Vendors & Products		Googtech Googtech sms-ssm

Wed, 18 Feb 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in GoogTech sms-ssm up to e8534c766fd13f5f94c01dab475d75f286918a8d. Affected by this issue is the function preHandle of the file LoginInterceptor.java of the component API Interface. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.
Title		GoogTech sms-ssm API LoginInterceptor.java preHandle improper authorization
Weaknesses		CWE-266 CWE-285
References		https://github.com/GoogTech/sms-ssm/ https://github.com/GoogTech/sms-ssm/issues/27 https://github.com/GoogTech/sms-ssm/issues/27#issue-3878817166 https://github.com/GoogTech/sms-ssm/issues/27#issuecomment-3828063958 https://vuldb.com/?ctiid.346469 https://vuldb.com/?id.346469 https://vuldb.com/?submit.749702
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Googtech Sms-ssm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-18T22:02:07.132Z

Updated: 2026-02-23T10:25:41.735Z

Reserved: 2026-02-18T10:54:46.673Z

Link: CVE-2026-2676

Vulnrichment

Updated: 2026-02-19T16:00:50.660Z

NVD

Status : Deferred

Published: 2026-02-18T23:16:20.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2676

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object