Description
A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

A defect in Dromara lamp‑cloud up to version 5.8.1 allows manipulation of the pageUser function within the DefUserController to bypass authentication checks. This exposes user data and potentially other privileged information to anyone able to send the crafted request. The flaw is an example of improper authorization consistent with CWE‑266 and CWE‑285.

Affected Systems

The issue affects installations of Dromara lamp‑cloud at or below 5.8.1. Vendor: Dromara; product lamp‑cloud. No other affected versions have been reported.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The exploit is publicly available and can be launched from a remote location; however, the EPSS score is unavailable and the vulnerability is not in the CISA KEV list. Attackers with network access to the application can manipulate the request to gain unauthorized access, so the risk is moderate to high depending on exposure.

Generated by OpenCVE AI on April 5, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest version of Dromara lamp-cloud that contains the authorization fix
  • Restrict network access to the DefUserController endpoint to trusted users only
  • Implement application‑level access controls or a web‑application firewall to block unauthorized requests
  • Monitor logs for suspicious access patterns to the pageUser endpoint

Generated by OpenCVE AI on April 5, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Dromara
Dromara lamp-cloud
Vendors & Products Dromara
Dromara lamp-cloud
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Dromara lamp-cloud DefUserController pageUser improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dromara Lamp-cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T19:11:19.646Z

Reserved: 2026-04-04T06:26:51.702Z

Link: CVE-2026-5529

cve-icon Vulnrichment

Updated: 2026-04-06T19:11:16.040Z

cve-icon NVD

Status : Deferred

Published: 2026-04-05T01:16:47.450

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-5529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:57:26Z

Weaknesses