Description
Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).
Published: 2026-06-17
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Azuriom CMS before version 1.2.11 lacks proper authorization checks on its server management routes. An attacker who is already authenticated and possesses the admin.access permission can exploit this flaw to create AzLink server tokens. With these tokens the attacker can modify non-admin user accounts, changing passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints. The result is a full account takeover of non-admin users, compromising confidentiality and integrity of user credentials.

Affected Systems

The vulnerability affects Azuriom CMS, all platforms, for all releases prior to 1.2.11.

Risk and Exploitability

The CVSS score of 8.6 classifies the flaw as high severity. The EPSS rating of less than 1% indicates a low current likelihood of public exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, an attacker must be authenticated and carry the admin.access permission; once these prerequisites are met, the exploitation path is straightforward with standard HTTP requests, making the risk significant for organizations with exposed Azuriom installations.

Generated by OpenCVE AI on June 18, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Azuriom CMS to version 1.2.11 or later where the server route authorization checks have been restored.
  • Limit the admin.access permission to trusted personnel only and regularly review role assignments on the platform.
  • Monitor and log all requests to /admin/servers/create and AzLink API endpoints, and enforce alerts for anomalous behavior or repeated attempts to modify user credentials.

Generated by OpenCVE AI on June 18, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Azuriom
Azuriom azuriom
Vendors & Products Azuriom
Azuriom azuriom

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).
Title Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover
Weaknesses CWE-269
CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-17T15:41:21.422Z

Reserved: 2026-06-13T16:39:46.122Z

Link: CVE-2026-54415

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses