Description
Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers.

This issue affects BAPSİS: before v.202604152042.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an IDOR (Insecure Direct Object Reference) that allows an attacker to override a user‑controlled key used by ABIS Technology Ltd. Co.’s BAPSİS system. By providing a crafted identifier, an attacker can obtain or manipulate trusted identifiers that are normally protected, potentially leading to unauthorized access to sensitive information or privileged functionality. The weakness aligns with CWE‑639, which denotes an authorization bypass through user‑controlled data.

Affected Systems

ABIS Technology Ltd. Co. BAPSİS prior to version 202604152042 is affected. No other vendors, products, or version ranges are specified in the CVE data.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as High severity. No EPSS score is available, so the exploitation probability is unknown, but the lack of a KEV listing does not imply low risk. The likely attack vector is the application’s interface where users submit identifiers; an attacker who can supply the key can exploit the authorization bypass. If an exploitable path exists, it may allow unprivileged users to read or modify data that should be restricted to authenticated accounts.

Generated by OpenCVE AI on May 12, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BAPSİS to version 202604152042 or newer, which removes the user‑controlled key vulnerability
  • If an upgrade cannot be performed immediately, disable or tightly restrict the feature that permits arbitrary user identifier input until the patch is applied
  • Enforce strict access control checks for all requests that reference trusted identifiers, ensuring only authenticated roles can manipulate them
  • Monitor application logs for anomalous usage of the user identifier endpoint to detect potential exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Abis Technology
Abis Technology bapsis
Vendors & Products Abis Technology
Abis Technology bapsis

Tue, 12 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd. Co. BAPSİS allows Exploitation of Trusted Identifiers. This issue affects BAPSİS: before v.202604152042.
Title IDOR in Abis Technology's BAPSİS
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Abis Technology Bapsis
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-12T12:20:23.312Z

Reserved: 2026-04-09T13:18:37.659Z

Link: CVE-2026-6001

cve-icon Vulnrichment

Updated: 2026-05-12T12:20:18.420Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T10:16:48.083

Modified: 2026-05-12T16:47:58.570

Link: CVE-2026-6001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T11:45:14Z

Weaknesses