Description
Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component
Published: 2026-05-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the permission handling of kvf-admin v1.0.0, specifically within the UserController component, enables a remote attacker to gain higher level privileges. The vulnerability is an insecure permissions issue that allows bypassing normal access controls. Once exploited, the attacker can perform any action granted to privileged users, potentially leading to full system compromise.

Affected Systems

The reported vulnerability affects the kvf-admin application, version 1.0.0. No other vendors or product variants are listed in the available data.

Risk and Exploitability

EPSS score < 1% and the vulnerability is not currently listed in the CISA KEV catalog. The CVSS score is 8.8, indicating a high severity level. The attack vector is inferred to be remote, likely via the web interface of UserController. Exploitation requires the attacker to interact with the vulnerable component, but no additional prerequisites are mentioned. Given the high potential impact and the lack of publicly known mitigations, the risk to affected installations is considered significant.

Generated by OpenCVE AI on May 28, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or update to a fixed version of kvf-admin when it becomes available
  • Restrict external access to the kvf-admin administration interface using firewall rules or VPN to reduce exposure to remote attackers
  • Review and tighten permission settings within the application to ensure the principle of least privilege is enforced
  • Monitor authentication and privilege escalation attempts in system logs and alert on suspicious activity

Generated by OpenCVE AI on May 28, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/cagexunxi/CVE/issues/1 cve-icon cve-icon cve-icon
History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Kalvingit
Kalvingit kvf-admin
Vendors & Products Kalvingit
Kalvingit kvf-admin

Thu, 28 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Insecure Permissions in kvf-admin Allowing Remote Privilege Escalation

Thu, 28 May 2026 17:30:00 +0000

Type Values Removed Values Added
Title Privilege Escalation in kvf-admin via Insecure Permissions
Weaknesses CWE-284

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation in kvf-admin via Insecure Permissions
Weaknesses CWE-284

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component
References

Subscriptions

Kalvingit Kvf-admin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T14:22:41.113Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38807

cve-icon Vulnrichment

Updated: 2026-05-28T14:21:34.235Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T18:16:22.227

Modified: 2026-05-28T16:16:22.050

Link: CVE-2026-38807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:22Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key