Description
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).
Published: 2026-04-22
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: Unauthorized Data Access
Action: Apply Patch
AI Analysis

Impact

An insecure direct object reference vulnerability exists in the Fullstep registration flow. A logged‑in user can request data belonging to another user by manipulating the supplier ID in the API paths, enabling the retrieval or modification of that user’s personal details and documents. The flaw arises from missing authorization checks for the /api/suppliers/v1/suppliers/ endpoint and the supplier‑registration page, allowing an attacker to view or alter another account’s information. The weakness is a classic case of CWE‑639, where an application fails to enforce proper access‑control checks.

Affected Systems

The issue affects Fullstep’s Fullstep product, specifically versions in the 5.x line. The vulnerability was fixed in version 5.30.07, which became available on January 29, 2026; all earlier 5.x releases remain affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6, indicating a high severity potential for data compromise. Exploitation requires the attacker to authenticate to the application, which is likely most common in internal or compromised environments. No public exploits are reported and the vulnerability is not listed in CISA’s KEV catalog, but the absence of EPSS data underscores that the exploitation probability is uncertain. Nonetheless, because the flaw grants an attacker access to sensitive user data, the risk warrants prompt remediation.

Generated by OpenCVE AI on April 22, 2026 at 19:21 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Fullstep team in version 5.30.07, which has been available in production since January 29, 2026.

OpenCVE Recommended Actions

  • Upgrade Fullstep to version 5.30.07 or later; the patch removes the missing authorization checks on the vulnerable endpoints.
  • If upgrading immediately is not feasible, block the vulnerable API paths and supplier‑registration URLs through a firewall or access‑control rule until the update is applied.
  • Review other business functions for similar IDOR patterns, ensuring that every resource requiring ownership checks performs a proper access‑control validation as advised by CWE‑639.

Generated by OpenCVE AI on April 22, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).
Title Insecure direct object reference (IDOR) vulnerability in Fullstep
First Time appeared Fullstep
Fullstep fullstep
Weaknesses CWE-639
CPEs cpe:2.3:a:fullstep:fullstep:5.30.07:*:*:*:*:*:*:*
cpe:2.3:a:fullstep:fullstep:5:*:*:*:*:*:*:*
Vendors & Products Fullstep
Fullstep fullstep
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Fullstep Fullstep
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-22T13:59:00.643Z

Reserved: 2026-04-07T15:31:15.848Z

Link: CVE-2026-5750

cve-icon Vulnrichment

Updated: 2026-04-22T13:58:50.503Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:17:06.173

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-5750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses