CVE-2026-31071 - Vulnerability Details

- Unauthenticated API Access Exposing User Data and Allowing Inventory Modification

Description

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.

Published: 2026-05-19

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from missing authentication checks on three API endpoints in the LalanaChami Pharmacy Management System, specifically /api/user/getUserData, /api/doctorOder, and associated routes. Unauthenticated remote attackers can issue requests to these endpoints and retrieve a complete dump of all user records, including bcrypt password hashes. They can also modify drug inventory data and access private medical prescription information, effectively compromising both confidentiality and integrity of the system’s sensitive data.

Affected Systems

The affected system is the LalanaChami Pharmacy Management System, as demonstrated in the backend/routes code at commit 5c3d028. No specific version numbers are listed beyond this commit, indicating that any release containing these code paths up to and including this commit is vulnerable.

Risk and Exploitability

The lack of authentication middleware allows attackers to exploit the endpoints without any prerequisites, making the attack path trivial. The CVSS score of 9.1 indicates severe impact, while the EPSS score of < 1% suggests low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, yet the exposure of full user data, inventory control, and prescription records would represent a high-impact breach. The risk is therefore significant, especially for systems exposed to the public internet or untrusted networks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Lalanachami

Pharmacy Management System

100%

Version	Status	Scheme	Platform
`5c3d02888631166649856f71d542387114b3010b`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the updated version of the Pharmacy Management System that implements authentication middleware for all user and inventory endpoints.
Restrict network access to the API by implementing IP whitelisting or a VPN so that only trusted internal hosts can reach the vulnerable endpoints.
Audit all API routes in the codebase to confirm proper authentication and authorization checks are present and enforce least-privilege access control for medical data.

Generated by OpenCVE AI on May 20, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286
https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes

History

Wed, 20 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated API Access Exposing User Data and Allowing Inventory Modification

Wed, 20 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 20 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lalanachami Lalanachami pharmacy Management System
Vendors & Products		Lalanachami Lalanachami pharmacy Management System

Tue, 19 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
References		https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286 https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes

Subscriptions

Lalanachami Pharmacy Management System

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-19T00:00:00.000Z

Updated: 2026-05-20T13:59:58.362Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31071

Vulnrichment

Updated: 2026-05-20T13:59:08.242Z

NVD

Status : Deferred

Published: 2026-05-19T16:16:20.490

Modified: 2026-05-20T14:16:40.560

Link: CVE-2026-31071

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses

CWE-306
Missing Authentication for Critical Function

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object