Description
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

A flaw in the User Update Endpoint of z‑9527 admin allows an attacker to send the isAdmin parameter with the value 1, causing the server to create object properties whose names are resolved at runtime. This dynamic property creation bypasses normal input validation and permits an attacker to alter essential user attributes, potentially granting elevated privileges or modifying user data without authorization.

Affected Systems

The vulnerability is known to affect z‑9527 admin versions 1.0 and 2.0 through the /server/routes/user.js endpoint. Systems running these specific versions should evaluate whether the endpoint is exposed to untrusted traffic and assess their exposure to the described issue.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no exploit prevalence score is provided. Exploitation can occur remotely via the HTTP interface to the user update endpoint, and publicly available proof‑of‑concept code exists. While the vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list, the remote nature and lack of restrictions make it a potential risk for privilege escalation if it remains unpatched.

Generated by OpenCVE AI on April 1, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a newer version of z‑9527 admin is available and apply the patch immediately.
  • If no patch exists, restrict external access to the User Update Endpoint using firewall rules or VPN so only trusted networks can reach it.
  • Implement server‑side validation to sanitize the isAdmin parameter before it is used in object property creation.
  • Monitor application logs for unexpected changes to user objects or elevation of privileges.
  • If the vendor remains unresponsive, consider disabling the update endpoint or migrating to a more secure user management solution.

Generated by OpenCVE AI on April 1, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Z-9527
Z-9527 admin
Vendors & Products Z-9527
Z-9527 admin

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title z-9527 admin User Update Endpoint user.js dynamically-determined object attributes
Weaknesses CWE-913
CWE-915
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Z-9527 Admin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T13:12:46.568Z

Reserved: 2026-03-31T16:11:37.477Z

Link: CVE-2026-5251

cve-icon Vulnrichment

Updated: 2026-04-01T13:12:43.185Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T03:15:59.050

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-5251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:18:31Z

Weaknesses