CVE-2026-7144 - Vulnerability Details

- 1000 Projects Portfolio Management System MCA update_passwd_process.php authorization

Description

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

Published: 2026-04-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the update_passwd_process.php of 1000 Projects Portfolio Management System MCA 1.0. By manipulating the temp_user argument, an attacker can bypass normal authorization checks, allowing unauthorized password changes. This flaw constitutes an authorization bypass (CWE‑285) and an authorization logic error (CWE‑639). The impact is that an attacker who can reach the affected endpoint can change any user's password without proper authentication, compromising account integrity.

Affected Systems

The affected product is the 1000 Projects Portfolio Management System MCA version 1.0. The flaw exists in the update_passwd_process.php file of this release. No other versions or modules are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the moderate severity range. EPSS information is not available. The vulnerability is not listed in the CISA KEV catalog, yet the description confirms that an exploit has been released publicly and can be launched remotely, meaning attackers can target the web endpoint without local access. The attack vector is therefore the web interface, where crafted requests to update_passwd_process.php manipulate temp_user to elevate privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

1000 Projects

Portfolio Management System MCA

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

1000projects

Portfolio Management System Mca

99%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify whether a vendor patch or newer release of 1000 Projects Portfolio Management System MCA exists; apply if available.
Restrict the acceptance of the temp_user parameter to a whitelist of authorized values and enforce authentication checks before allowing password changes.
Temporarily disable or lock down the update_passwd_process.php endpoint for unauthenticated or non‑admin traffic until a fix is applied.

Generated by OpenCVE AI on April 28, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://1000projects.org/
https://github.com/9str0IL/CVE/issues/4
https://vuldb.com/submit/801610
https://vuldb.com/vuln/359743
https://vuldb.com/vuln/359743/cti

History

Tue, 28 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		1000projects 1000projects portfolio Management System Mca
Vendors & Products		1000projects 1000projects portfolio Management System Mca

Mon, 27 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Title		1000 Projects Portfolio Management System MCA update_passwd_process.php authorization
Weaknesses		CWE-285 CWE-639
References		https://1000projects.org/ https://github.com/9str0IL/CVE/issues/4 https://vuldb.com/submit/801610 https://vuldb.com/vuln/359743 https://vuldb.com/vuln/359743/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

1000projects Portfolio Management System Mca

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T17:30:15.437Z

Updated: 2026-04-27T17:58:02.332Z

Reserved: 2026-04-26T19:47:23.308Z

Link: CVE-2026-7144

Vulnrichment

Updated: 2026-04-27T17:57:47.888Z

NVD

Status : Deferred

Published: 2026-04-27T18:16:56.577

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7144

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object