Description
A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

1024-lab smart‑admin versions up to 3.30.0 contain an access‑control flaw in the Demo Site component. A client can manipulate requests to the /smart-admin‑api/druid/index.html file and bypass intended restrictions, allowing an attacker to view or interact with protected content without proper authorization. The flaw originates from an unknown function within that path and violates multiple authorization primitives, aligning with CWE‑266 and CWE‑284 weaknesses.

Affected Systems

The vulnerable product is 1024‑lab smart‑admin, specifically any release through 3.30.0. The flaw is tied to the Demo Site’s index.html endpoint located in the smart‑admin‑api/druid directory. All deployments of these versions that expose the index.html endpoint are susceptible, regardless of environment or deployment size.

Risk and Exploitability

The CVSS score of 6.9 places this issue in the medium severity range, and its EPSS score is not published, indicating insufficient data to assess real‑world exploitation probability. The vulnerability can be triggered remotely by an attacker who can reach the demo site endpoint. Because it is listed outside the CISA KEV catalog, it is not known to be actively exploited, but the lack of a vendor fix still poses a risk. The exploitation path requires reaching the index.html endpoint, and there are no known authentication or network barriers preventing an attacker from attempting the manipulation.

Generated by OpenCVE AI on April 30, 2026 at 03:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update 1024‑lab smart‑admin to a release newer than 3.30.0, applying the official vendor patch if available.
  • If an upgrade cannot be performed immediately, block or limit access to /smart-admin‑api/druid/index.html at the firewall or web‑server level, restricting it to trusted networks or IP addresses.
  • Add application or infrastructure level checks to verify proper authorization before serving the Demo Site content, and monitor access logs for unexpected activity around the index.html endpoint.

Generated by OpenCVE AI on April 30, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared 1024-lab
1024-lab smartadmin
Vendors & Products 1024-lab
1024-lab smartadmin

Thu, 30 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title 1024-lab smart-admin Demo Site index.html access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

1024-lab Smartadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:11:59.503Z

Reserved: 2026-04-29T19:17:13.210Z

Link: CVE-2026-7468

cve-icon Vulnrichment

Updated: 2026-04-30T13:11:55.530Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T01:16:03.170

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:00:12Z

Weaknesses