Description
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts
Published: 2026-03-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via IDOR
Action: Patch immediately
AI Analysis

Impact

The vulnerability is an identity-based authorization bypass that permits an attacker to alter a legitimate user’s data, including changing the email address, validating that address, and requesting password resets. This enables the attacker to assume control of other users’ accounts, compromising confidentiality, integrity, and availability of user data. The weakness correlates with CWE‑639, reflecting improper authorization controls.

Affected Systems

Affected vendors include Wakyma, specifically their application web product. All versions of the Wakyma application web are vulnerable until the fix deployed by their continuous integration pipeline on February 19, 2026.

Risk and Exploitability

The CVSS score of 8.6 classifies this as high severity, indicating significant risk if exploited. The EPSS score of less than 1% suggests low current exploit probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves sending crafted HTTP requests to protected endpoints lacking proper identity checks, which an authenticated or partially authenticated user could exploit to modify other users’ data.

Generated by OpenCVE AI on March 22, 2026 at 14:47 UTC.

Remediation

Vendor Solution

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

OpenCVE Recommended Actions

  • Apply the vendor patch released by Wakyma on February 19, 2026
  • Verify account settings and reset passwords for users who may have been affected
  • Review audit logs for unauthorized email changes or password reset requests
  • Update the continuous integration pipeline to ensure the fix is consistently deployed across all environments

Generated by OpenCVE AI on March 22, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts
Title Identity based authorization bypass vulnerability (IDOR) in the Wakyma application web
First Time appeared Wakyma
Wakyma wakyma Application Web
Weaknesses CWE-639
CPEs cpe:2.3:a:wakyma:wakyma_application_web:all_versions:*:*:*:*:*:*:*
Vendors & Products Wakyma
Wakyma wakyma Application Web
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wakyma Wakyma Application Web
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-16T15:27:44.272Z

Reserved: 2026-02-23T13:43:53.578Z

Link: CVE-2026-3020

cve-icon Vulnrichment

Updated: 2026-03-16T15:27:34.393Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:45.150

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-3020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:53Z

Weaknesses