Description
An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.
Published: 2026-04-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorization flaw exists in the "/minerva/moUser/update" endpoint of MphRx's Minerva version 3.6.0. An authenticated user who already has rights to modify user data can craft an HTTP request that changes the 'identifier' field, causing the system to elevate that user to an administrator. The flaw, categorized as CWE‑285, allows a user to gain full administrative control without using the graphical interface.

Affected Systems

The vulnerability affects systems running MphRx's Minerva product, specifically the 3.6.0 release as documented by the CNA. No other versions or variants were mentioned in the advisory, and the vendor has not yet issued an updated release.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, but the EPSS score is not available; it also has not been listed in the CISA KEV catalog. Exploitation requires an authenticated session with user‑modification privileges and the ability to send a specially crafted HTTP request. Since the attack vector involves direct HTTP calls to the vulnerable endpoint, no UI interaction is needed. The absence of listed exploits suggests that active exploitation may be limited, yet the high CVSS reflects the potential for privilege escalation should an attacker discover or weaponize this flaw.

Generated by OpenCVE AI on April 28, 2026 at 19:21 UTC.

Remediation

Vendor Solution

No solution has been reported yet.

OpenCVE Recommended Actions

  • Deploy a temporary access control rule that blocks or requires administrative credentials for calls to the "/minerva/moUser/update" endpoint.
  • Implement request validation that rejects HTTP payloads where the 'identifier' field is altered for non‑administrator accounts.
  • Continuously monitor application logs for unexpected changes to the 'identifier' field and audit user activities that modify user data.
  • Apply an official vendor patch or upgrade to a fixed version when MphRx releases one.

Generated by OpenCVE AI on April 28, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Agilonhealth
Agilonhealth minerva
CPEs cpe:2.3:a:agilonhealth:minerva:3.6.0:*:*:*:*:*:*:*
Vendors & Products Agilonhealth
Agilonhealth minerva
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mphrx
Mphrx minerva
Vendors & Products Mphrx
Mphrx minerva

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.
Title Multiple vulnerabilities in MphRx's Minerva
Weaknesses CWE-285
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Agilonhealth Minerva
Mphrx Minerva
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-04-28T13:40:55.237Z

Reserved: 2026-04-08T08:32:51.109Z

Link: CVE-2026-5781

cve-icon Vulnrichment

Updated: 2026-04-28T13:40:51.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T13:19:22.717

Modified: 2026-05-05T14:24:45.810

Link: CVE-2026-5781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:50Z

Weaknesses