Description
In Blog.Core through bcb4d17, the getinfobytoken API interface contains improper access control that leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security. NOTE: Blog.Admin is related front-end code that does not offer an API service.
Published: 2026-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blog.Core GetInfoByToken API, as seen in commit bcb4d17, has an improper access control flaw that allows any user with a valid authentication token to retrieve sensitive administrator account information. Unauthorized parties can exploit this to expose secrets, posing a direct threat to confidentiality. The vulnerability arises because the endpoint fails to restrict access to privileged users, which aligns with improper access control (CWE‑284) and missing authorization (CWE‑863). Note that Blog.Admin, a related front‑end application, does not expose any API services and is not affected.

Affected Systems

The vulnerability affects the anjoy8 Blog.Core application, version 8.0 and earlier releases. Hosts running these versions are vulnerable if the GetInfoByToken endpoint is exposed to untrusted networks. No other vendor or product variants were identified in the available data.

Risk and Exploitability

The CVSS score of 4.3 classifies the flaw as medium severity, indicating that, while the impact is moderate, an attacker with a valid token could expose administrator credentials. The EPSS score of less than 1% suggests that community-exploited attacks are currently rare, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is to target the GetInfoByToken endpoint with a valid token. Based on the description, it is inferred that obtaining a valid token is a prerequisite for exploitation; once a token is available, the exploitation is straightforward and requires no additional steps.

Generated by OpenCVE AI on July 3, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement strict role-based access control on the GetInfoByToken endpoint so that only privileged administrators can invoke it.
  • Restrict exposure of the endpoint to trusted networks or enforce network segmentation and IP whitelisting.
  • Regenerate authentication tokens and enforce token rotation to limit the impact of any compromised token.
  • Monitor API usage logs for anomalous activity and investigate suspicious requests promptly.
  • If a newer Blog.Core release includes a fix, upgrade to that version.

Generated by OpenCVE AI on July 3, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Blog.Core GetInfoByToken API Exposes Admin Credentials

Thu, 02 Jul 2026 20:15:00 +0000

Type Values Removed Values Added
Description A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security. In Blog.Core through bcb4d17, the getinfobytoken API interface contains improper access control that leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security. NOTE: Blog.Admin is related front-end code that does not offer an API service.
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control in BlogAdmin GetInfoByToken API Exposes Administrator Credentials

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:anjoy8:blog.admin:8.0:*:*:*:*:*:*:*

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control in BlogAdmin GetInfoByToken API Exposes Administrator Credentials
First Time appeared Anjoy8
Anjoy8 blog.admin
Vendors & Products Anjoy8
Anjoy8 blog.admin

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Blog.Admin getinfobytoken API Exposes Admin Credentials
Weaknesses CWE-200
CWE-285

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Blog.Admin getinfobytoken API Exposes Admin Credentials
Weaknesses CWE-200
CWE-285

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.
References

Subscriptions

Anjoy8 Blog.admin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-02T19:53:34.641Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30689

cve-icon Vulnrichment

Updated: 2026-03-27T20:31:54.015Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:53.620

Modified: 2026-06-17T10:32:52.410

Link: CVE-2026-30689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:00:12Z

Weaknesses