Description
An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an attacker to obtain a list of users.
Published: 2026-04-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure direct object reference in the /minerva/moUser/show/ endpoint of MphRx’s Minerva V3.6.0. An authenticated user can modify the numeric identifier in the request URL and retrieve the data belonging to any other registered user, effectively listing users’ profiles. This defies the confidentiality guarantees expected in an authentication‑based system and is classified as a CWE‑284 access control weakness. The primary consequence is unauthorized disclosure of personal or sensitive user information.

Affected Systems

The flaw affects MphRx’s Minerva software, version 3.6.0. Any deployment of that edition that exposes the web service endpoint without additional access control measures is susceptible. Administrators should verify that all installations run a version beyond 3.6.0 or have applied corrective controls.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity with exploitation likely executing within an authenticated context. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Because the flaw requires a legitimate user account, the attack vector is internal or compromised accounts, but no privilege escalation is necessary. Once attackers gain convenience of modifying identifiers—whether via credential reuse or brute force—the data of any user can be accessed, making this a serious privacy violation in environments that hold sensitive information.

Generated by OpenCVE AI on April 28, 2026 at 19:21 UTC.

Remediation

Vendor Solution

No solution has been reported yet.

OpenCVE Recommended Actions

  • Work with MphRx to obtain an official patch or rollback the vulnerable endpoint to a previous stable release once remediation is provided.
  • Implement strict authorization checks on the /minerva/moUser/show/ endpoint so that the requested user identifier matches the authenticated user’s ID or that the requester has explicitly elevated privileges; otherwise reject the request.
  • Disable or limit access to the vulnerable endpoint for non‑privileged accounts and consider replacing the numeric ID references with opaque tokens that prevent enumeration.
  • Actively monitor authentication logs for anomalous ID usage and apply rate‑limiting to mitigate enumeration attempts.

Generated by OpenCVE AI on April 28, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Agilonhealth
Agilonhealth minerva
CPEs cpe:2.3:a:agilonhealth:minerva:3.6.0:*:*:*:*:*:*:*
Vendors & Products Agilonhealth
Agilonhealth minerva
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mphrx
Mphrx minerva
Vendors & Products Mphrx
Mphrx minerva

Tue, 28 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an attacker to obtain a list of users.
Title Multiple vulnerabilities in MphRx's Minerva
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Agilonhealth Minerva
Mphrx Minerva
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-28T13:41:20.182Z

Reserved: 2026-04-08T08:32:49.345Z

Link: CVE-2026-5780

cve-icon Vulnrichment

Updated: 2026-04-28T13:41:16.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T13:19:22.593

Modified: 2026-05-05T14:22:38.873

Link: CVE-2026-5780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:51Z

Weaknesses