CVE-2026-4548 - Vulnerability Details

- mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization

Description

A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affected by this vulnerability is the function updateUserrole of the file actions/update-user-role.ts. The manipulation of the argument userId/role results in improper authorization. The attack may be launched remotely.

Published: 2026-03-22

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the updateUserrole function of mickasmt next-saas-stripe-starter, where manipulating the userId and role inputs bypasses the intended authorization checks. This results in an improper privilege escalation that can grant an attacker any role, potentially providing full control over the application. The weakness corresponds to CWE‑266 (Improper Privilege Management) and CWE‑285 (Improper Authorization), indicating that the system fails to enforce correct role boundaries.

Affected Systems

The vulnerable software is v1.0.0 of the open‑source project mickasmt next‑saas‑stripe‑starter. No other versions are listed as affected in the current advisory.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. EPSS data is unavailable and the vulnerability is not yet in the CISA Known Exploited Vulnerabilities catalog. The description notes that the attack can be launched remotely, implying that the updateUserrole endpoint is exposed to network traffic. An attacker who can reach this endpoint can craft userId and role values to change any user’s role, which may compromise confidentiality, integrity, and availability of the application. While the likelihood of exploitation is uncertain, the impact warrants prompt mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mickasmt

next-saas-stripe-starter

affected

Version	Status	Constraints
`1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Mickasmt

Next-saas-stripe-starter

100%

Version	Status	Scheme	Platform
`1.0.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest version of next‑saas‑stripe‑starter that includes the authorization fix if one is released.
If a patch is not available immediately, restrict the updateUserrole endpoint so that only trusted administrators can invoke it.
Enforce server‑side validation so that only permitted role values can be assigned.
Enable audit logging for all role changes and regularly review logs for suspicious activity.
Review the application’s role‑handling logic to ensure that proper authorization checks remain in place in future releases.

Generated by OpenCVE AI on March 22, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/?ctiid.352375
https://vuldb.com/?id.352375
https://vuldb.com/?submit.774805

History

Mon, 23 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mickasmt Mickasmt next-saas-stripe-starter
Vendors & Products		Mickasmt Mickasmt next-saas-stripe-starter

Sun, 22 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affected by this vulnerability is the function updateUserrole of the file actions/update-user-role.ts. The manipulation of the argument userId/role results in improper authorization. The attack may be launched remotely.
Title		mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization
Weaknesses		CWE-266 CWE-285
References		https://vuldb.com/?ctiid.352375 https://vuldb.com/?id.352375 https://vuldb.com/?submit.774805
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Mickasmt Next-saas-stripe-starter

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-22T13:02:44.410Z

Updated: 2026-03-23T16:06:10.980Z

Reserved: 2026-03-21T16:49:01.510Z

Link: CVE-2026-4548

Vulnrichment

Updated: 2026-03-23T16:06:04.286Z

NVD

Status : Deferred

Published: 2026-03-22T14:16:34.840

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4548

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T14:46:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object