Description
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the component Cache Sync Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Cache Manipulation via Improper Access Control
Action: Apply Fix
AI Analysis

Impact

The vulnerability arises from missing access controls in the CacheController module that handles cache deletion, purging, and synchronization. An attacker who can reach these endpoints may trigger cache operations without authentication, potentially leading to data loss, service disruption, or exposure of sensitive cache contents. The impact is limited to the cache layer but can affect system stability and data availability, as the underlying data may be invalidated or removed. This flaw does not provide arbitrary code execution but allows direct manipulation of cached data across the application.

Affected Systems

The affected product is yeqifu's Warehouse, a rolling‑release repository management system hosted on GitHub. No specific version numbers are available, but any release built before the commit aaf29962ba407d22d991781de28796ee7b4670e4 contains the vulnerable code.

Risk and Exploitability

The entry carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is below 1 %, implying a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalogue, so no confirmed widespread exploitation has been reported. Attackers would need to discover and gain network access to the application, then issue the delete, purge, or sync requests. With no remediation detected once this analysis was written, the risk remains moderate until a patch or workaround is deployed.

Generated by OpenCVE AI on April 17, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the workplace uses a recent commit after aaf29962ba4 or newer; if a release is available, apply the update to the Warehouse repository.
  • Configure network or application‑level access controls to ensure only authenticated and authorized users can invoke the /syncCache, /deleteCache, or /removeAllCache endpoints—add role‑based restrictions or token validation as appropriate.
  • If an immediate update is unavailable, temporarily disable the cache‑synchronisation endpoints via configuration or firewall rules to prevent unauthorized use.

Generated by OpenCVE AI on April 17, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the component Cache Sync Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Cache Sync CacheController.java syncCache access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-24T14:37:54.410Z

Reserved: 2026-02-20T09:00:44.984Z

Link: CVE-2026-2849

cve-icon Vulnrichment

Updated: 2026-02-24T14:37:49.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:58.673

Modified: 2026-02-26T02:41:58.623

Link: CVE-2026-2849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses