CVE-2026-4171 - Vulnerability Details

- CodeGenieApp serverless-express API Endpoint TodoList.ts authorization

Description

A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-15

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the TodoList.ts model of the CodeGenieApp serverless‑express API endpoint. Manipulating the userId parameter causes the system to ignore proper authorization checks, allowing an attacker to impersonate any user. This flaw can lead to the disclosure or modification of sensitive data and potentially to unauthorized execution of privileged actions within the application. The weakness corresponds to CWE‑285 (Authorization) and CWE‑639 (Authorization Bypass Through User‑Controlled Search).

Affected Systems

This flaw affects CodeGenieApp’s serverless‑express component in all releases up to and including version 4.17.1. The affected functionality is located in examples/lambda‑function‑url/packages/api/models/TodoList.ts. No other versions or products have been identified as affected in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is reported as less than 1%, suggesting low but non-zero exploit probability. It is not currently listed in the CISA KEV catalog. The description states that the attack can be carried out remotely, though the precise vector (e.g., HTTP request to the API endpoint) is inferred and not explicitly detailed. Exploitation requires an authenticated or unauthenticated request to the affected endpoint with a manipulated userId parameter, which the software fails to validate, resulting in an authorization bypass.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CodeGenieApp

serverless-express

affected

Version	Status	Constraints
`4.17.0`	affected	—
`4.17.1`	affected	—

No data.

Vendor Product Confidence Versions

Codegenieapp

Serverless-express

100%

Version	Status	Scheme	Platform
`4.17.0`	affected	semver	—
`4.17.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest CodeGenieApp serverless‑express patch or upgrade to a version newer than 4.17.1. This should fix the improper authorization check in the TodoList module.

Generated by OpenCVE AI on March 21, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/AnalogyC0de/public_exp/issues/20
https://vuldb.com/?ctiid.351078
https://vuldb.com/?id.351078
https://vuldb.com/?submit.769769
https://vuldb.com/?submit.769771

History

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codegenieapp Codegenieapp serverless-express
Vendors & Products		Codegenieapp Codegenieapp serverless-express

Sun, 15 Mar 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		CodeGenieApp serverless-express API Endpoint TodoList.ts authorization
Weaknesses		CWE-285 CWE-639
References		https://github.com/AnalogyC0de/public_exp/issues/20 https://vuldb.com/?ctiid.351078 https://vuldb.com/?id.351078 https://vuldb.com/?submit.769769 https://vuldb.com/?submit.769771
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Codegenieapp Serverless-express

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-15T08:02:07.894Z

Updated: 2026-03-16T15:40:39.639Z

Reserved: 2026-03-14T12:57:22.419Z

Link: CVE-2026-4171

Vulnrichment

Updated: 2026-03-16T15:40:35.382Z

NVD

Status : Deferred

Published: 2026-03-16T14:19:57.123

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4171

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:01:57Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object