Description
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
Published: 2026-05-19
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from missing authentication checks on three API endpoints in the LalanaChami Pharmacy Management System, specifically /api/user/getUserData, /api/doctorOder, and associated routes. Unauthenticated remote attackers can issue requests to these endpoints and retrieve a complete dump of all user records, including bcrypt password hashes. They can also modify drug inventory data and access private medical prescription information, effectively compromising both confidentiality and integrity of the system’s sensitive data.

Affected Systems

The affected system is the LalanaChami Pharmacy Management System, as demonstrated in the backend/routes code at commit 5c3d028. No specific version numbers are listed beyond this commit, indicating that any release containing these code paths up to and including this commit is vulnerable.

Risk and Exploitability

The lack of authentication middleware allows attackers to exploit the endpoints without any prerequisites, making the attack path trivial. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, yet the exposure of full user data, inventory control, and prescription records would represent a high-impact breach. The risk is therefore significant, especially for systems exposed to the public internet or untrusted networks.

Generated by OpenCVE AI on May 19, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the updated version of the Pharmacy Management System that implements authentication middleware for all user and inventory endpoints.
  • Restrict network access to the API by implementing IP whitelisting or a VPN so that only trusted internal hosts can reach the vulnerable endpoints.
  • Audit all API routes in the codebase to confirm proper authentication and authorization checks are present and enforce least‑privilege access control for medical data.

Generated by OpenCVE AI on May 19, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-19T14:54:05.899Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31071

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-19T16:16:20.490

Modified: 2026-05-19T18:04:29.373

Link: CVE-2026-31071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T16:30:09Z

Weaknesses

No weakness.