Description
A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.
Published: 2026-03-27
Score: n/a
EPSS: n/a
KEV: No
Impact: Sensitive data exposure via improper access control
Action: Apply Patch
AI Analysis

Impact

The flaw lies in an improper access control check in Blog.Admin’s getinfobytoken API. An attacker who can supply a legitimate administrator token can invoke the endpoint and retrieve sensitive account details, thereby revealing credentials and other privileged information.

Affected Systems

Blog.Admin versions 8.0 and earlier are affected. The vulnerability exists in the getinfobytoken interface of these releases, and no public patch has been issued for these versions.

Risk and Exploitability

Based on the description, the vulnerability requires possession of an administrative token, and the likely attack vector is remote access to the API endpoint capable of accepting such a token. The occurrence of exploitation is considered high because valid tokens are required, which could be obtained from legitimate use or via token theft; however, the specific attack path is inferred. The CVSS score is not available, EPSS is unknown, and the flaw is not listed in the CISA KEV catalog. Exposure of sensitive administrator data poses a significant confidentiality risk to the affected system.

Generated by OpenCVE AI on March 27, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Blog.Admin release (v8.1 or later) where the getinfobytoken access control issue is fixed.
  • If an upgrade is not possible immediately, disable the getinfobytoken API or restrict its access to a secure network segment.
  • Re‑issue or revoke all current administrative tokens and generate new ones.
  • Monitor logs for unexpected requests to the getinfobytoken endpoint and investigate suspicious activity.
  • Contact Blog.Admin maintainers for an official security patch if no update is available.

Generated by OpenCVE AI on March 27, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Blog.Admin getinfobytoken API Exposes Admin Credentials
Weaknesses CWE-200
CWE-285

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:32:29.894Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30689

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T15:16:53.620

Modified: 2026-03-27T15:16:53.620

Link: CVE-2026-30689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:29:03Z

Weaknesses