Description
A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A code injection vulnerability exists in the validateAccess function of provectus kafka‑ui’s /api/smartfilters/testexecutions endpoint. Because user input is not properly validated, an attacker can execute arbitrary code on the server hosting the service, compromising confidentiality, integrity, and availability of the system. The vulnerability is exploitable remotely via crafted requests to the affected endpoint.

Affected Systems

The flaw affects provectus kafka‑ui versions up to and including 0.7.2. Any deployment of these or earlier releases that exposes the /api/smartfilters/testexecutions API to external clients is vulnerable.

Risk and Exploitability

The CVSS score for this issue is 6.9, indicating a moderate to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but published exploit code is publicly accessible. The attack vector is remote, as an attacker only needs to send malicious requests to the exposed API endpoint, making exploitation straightforward for an adversary with network access to the service.

Generated by OpenCVE AI on April 5, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade provectus kafka‑ui to a release newer than 0.7.2 when available.

Generated by OpenCVE AI on April 5, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Provectus ui
CPEs cpe:2.3:a:provectus:ui:*:*:*:*:*:kafka:*:*
Vendors & Products Provectus ui

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Provectus
Provectus kafka-ui
Vendors & Products Provectus
Provectus kafka-ui

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in provectus kafka-ui up to 0.7.2. This impacts the function validateAccess of the file /api/smartfilters/testexecutions of the component Endpoint. The manipulation leads to code injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title provectus kafka-ui Endpoint testexecutions validateAccess code injection
Weaknesses CWE-74
CWE-94
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Provectus Kafka-ui Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:50:47.812Z

Reserved: 2026-04-04T14:04:02.364Z

Link: CVE-2026-5562

cve-icon Vulnrichment

Updated: 2026-04-06T14:46:38.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T11:16:56.993

Modified: 2026-04-30T20:22:20.243

Link: CVE-2026-5562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:51Z

Weaknesses