Vvveb, a CMS used to build websites, blogs, and ecommerce sites, contains an IDOR flaw in its backend admin/auth-token endpoint. An authenticated administrator can send a request containing the admin_id of another administrator and receive that user’s list of REST API tokens. This flaw exposes credentials that can be used to call the CMS API with elevated privileges, potentially allowing an attacker to access sensitive data or perform actions on behalf of that administrator. The weakness stems from improper authorization checks and is classified as CWE‑639. The impact is mainly a confidentiality breach of privileged tokens, which could lead to further compromise of the system if the tokens are used maliciously.

The vulnerability affects all installations of Vvveb older than version 1.0.8.3. Any site running a pre‑1.0.8.3 release is vulnerable to token disclosure via the admin/auth-token endpoint.

With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score is currently unavailable, so the likelihood of exploitation is uncertain, but the fact that the vulnerability requires only an authenticated administrator account, which is typically easier to obtain than full system credentials, increases the risk. The vulnerability is not listed in CISA KEV, but the impact warrants immediate attention. An attacker who can impersonate or compromise an administrator account can exploit the IDOR to retrieve other administrators’ API tokens by simply specifying a different admin_id value in the request. The resulting disclosure could enable privileged API access, data exfiltration, or further lateral movement within the CMS. The threat remains significant even in the absence of a publicly available exploit.