Description
A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addCustomer/updateCustomer/deleteCustomer of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\CustomerController.java of the component Customer Endpoint. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion and modification of customer records
Action: Patch Immediately
AI Analysis

Impact

The Warehouse project contains an authorization flaw in CustomerController’s addCustomer, updateCustomer and deleteCustomer actions. The module does not enforce proper permission checks, allowing any remote user to invoke these endpoints and alter or delete customer data. This results in an improper access control vulnerability that can lead to unauthorized manipulation of sensitive customer information.

Affected Systems

Yeqifu Warehouse, a web application component exposed via REST endpoints. No specific release or version is affected; the product uses a rolling release model and the upstream repository does not list a patched commit yet.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate level of risk, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalogue. Remote exploitation is possible through unauthenticated or weakly authenticated HTTP requests to the Customer API. A publicly available exploit demonstrates that an attacker can send a crafted request to the deleteCustomer endpoint and permanently erase customer records, highlighting that any user with network access to the service can exercise this flaw.

Generated by OpenCVE AI on April 17, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release from the yeqifu/warehouse repository that addresses the access‑control checks in CustomerController.
  • Implement strict authentication and authorization for all Customer API endpoints, ensuring that only users with appropriate roles can invoke add, update or delete operations.
  • Reconfigure or temporarily disable the deleteCustomer endpoint until a reliable patch is deployed, and monitor logs for unauthorized deletion attempts.

Generated by OpenCVE AI on April 17, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Yeqifu
Yeqifu warehouse
Vendors & Products Yeqifu
Yeqifu warehouse

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addCustomer/updateCustomer/deleteCustomer of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\CustomerController.java of the component Customer Endpoint. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title yeqifu warehouse Customer Endpoint CustomerController.java deleteCustomer access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yeqifu Warehouse
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-20T18:55:59.698Z

Reserved: 2026-02-20T09:00:49.391Z

Link: CVE-2026-2850

cve-icon Vulnrichment

Updated: 2026-02-20T18:55:51.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T18:25:53.830

Modified: 2026-02-26T02:40:36.140

Link: CVE-2026-2850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses