Description
Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials.
Published: 2026-05-18
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from manipulation of HTTP redirect headers during the login process. By tampering with these headers, an attacker can cause the script to continue executing after authentication, thereby gaining unauthorized access to protected features without needing valid credentials. This represents a direct authorization bypass, classified as CWE-288.

Affected Systems

Creartia Internet Consulting’s ICMS Content Management software is affected. No specific version numbers are supplied; administrators should check for the most recent release that contains the fix.

Risk and Exploitability

The CVSS score is 9.3, indicating critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote and requires the attacker to send a crafted HTTP request that alters redirect headers during the login sequence. Once exploited, the attacker can elevate privileges and access sensitive functionality without authentication.

Generated by OpenCVE AI on May 18, 2026 at 11:20 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by Creartia Internet Consulting S.L. team. It is recommended to update to the last version.

OpenCVE Recommended Actions

  • Apply the latest version of ICMS Content Management, which contains the fix for the authorization bypass.
  • Validate or restrict HTTP redirect headers in the login flow so that only approved, internally generated redirects are accepted.
  • Implement logging and monitoring of authentication attempts that involve redirects to detect and respond to suspicious activity.

Generated by OpenCVE AI on May 18, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials.
Title Authorization Bypass in ICMS Content Management by Creartia Internet Consulting
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-18T11:09:54.218Z

Reserved: 2026-03-17T11:07:32.587Z

Link: CVE-2026-4320

cve-icon Vulnrichment

Updated: 2026-05-18T11:09:47.972Z

cve-icon NVD

Status : Received

Published: 2026-05-18T11:16:18.283

Modified: 2026-05-18T11:16:18.283

Link: CVE-2026-4320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T11:30:24Z

Weaknesses