Description
Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse.

This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
Published: 2026-04-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an IDOR that permits an authenticated user to manipulate a user-controlled key to bypass authorization checks, effectively allowing the user to read or modify data and invoke actions that should be restricted to higher-privileged accounts. The flaw is identified as CWE-639.

Affected Systems

The affected product is MeWare Software Development Inc. PDKS. Any installations running a version from V16.20200313 up to but not including VMYR_3.5.2025117 are vulnerable. Versions after VMYR_3.5.2025117 have the fix.

Risk and Exploitability

The CVSS score of 8.1 marks this as high severity. Although the EPSS score is unavailable, the absence of an KEV listing suggests no known public exploitation as of now. Attackers can exploit the flaw remotely, typically through the application’s web or API interface, by supplying crafted key parameters. Successful exploitation would give the attacker unauthorized access to sensitive data or privileged functions.

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MeWare Software Development Inc. PDKS version VMYR_3.5.2025117 or newer to apply the IDOR fix.
  • If an immediate upgrade is not feasible, restrict the users from accessing endpoints that accept user-controlled keys or disable those API routes until patching.
  • Implement strict input validation and enforce proper authorization checks on all key parameters at both application and server layers.

Generated by OpenCVE AI on May 1, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Meware Software Development
Meware Software Development pdks
Vendors & Products Meware Software Development
Meware Software Development pdks

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.
Title IDOR in MeWare Software's PDKS
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Meware Software Development Pdks
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-04-30T13:14:29.103Z

Reserved: 2026-04-29T11:21:20.483Z

Link: CVE-2026-7399

cve-icon Vulnrichment

Updated: 2026-04-30T13:14:26.208Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T13:16:06.480

Modified: 2026-04-30T15:09:03.710

Link: CVE-2026-7399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:22Z

Weaknesses