Description
A broken access control may allow an authenticated user to perform a
horizontal privilege escalation. The vulnerability only impacts specific
configurations.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a broken access control (CWE-639) that permits an authenticated user to perform horizontal privilege escalation within the Pointsharp ID Server. An attacker who can log in with valid credentials can exploit the flaw to access resources or data that belong to other users, thereby compromising the confidentiality and integrity of data owned by those users and enabling further lateral movement. The weakness arises because the system fails to enforce proper ownership checks on certain configurations.

Affected Systems

The flaw affects the Pointsharp ID Server product. Specific affected versions are not listed, and the issue is limited to particular configurations of the server. Administrators should review the product configuration to determine whether the vulnerable settings are present.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low likelihood of immediate exploitation. This vulnerability is not listed in the CISA KEV catalog, which further indicates that active exploitation has not been reported. Exploitation requires valid authentication and access to the affected configuration, implying that the attack vector is likely remote but restricted to authenticated users. Administrators should treat this as a high priority to patch.

Generated by OpenCVE AI on March 19, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Pointsharp ID Server patch or update that addresses the broken access control flaw.
  • If no patch is available, review and restrict configuration settings that enable the flaw, enforcing least privilege for users.
  • Segment the network to limit the reach of compromised accounts.
  • Regularly monitor logs for anomalous access patterns by legitimate accounts.

Generated by OpenCVE AI on March 19, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pointsharp
Pointsharp id Server
Vendors & Products Pointsharp
Pointsharp id Server

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations.
Title Broken access control vulnerability affecting ID Server
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Pointsharp Id Server
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-03-16T11:27:05.956Z

Reserved: 2026-03-11T17:52:20.020Z

Link: CVE-2026-3999

cve-icon Vulnrichment

Updated: 2026-03-13T16:04:54.947Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:13.130

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-3999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:37Z

Weaknesses