Description
A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the doAction method of the RMI interface in IAS Canias ERP 8.03. An attacker can manipulate the sessionId argument to bypass authentication checks, thereby obtaining unauthorized access to the system. This flaw is classified as an authentication bypass and can lead to the compromise of confidentiality and integrity of the application, potentially allowing an attacker to perform any operation as an authenticated user. The nature of the weakness (CWE-287) indicates that the issue stems from faulty implementation of access controls rather than a buffer overflow or code injection.

Affected Systems

The affected product is Industrial Application Software IAS:Canias ERP, specifically version 8.03. No other versions or vendor products are listed.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, while the EPSS score is listed as not available, so the exploitation probability cannot be quantified from the data. The flaw has not been reported in the CISA KEV catalog. Attackers can exploit this remotely through the RMI endpoint, as the description indicates that the attack can be launched from a remote location. Because the vendor has not released a patch or publicly noted a workaround, the risk remains until remedial action is taken.

Generated by OpenCVE AI on May 10, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to a version in which the RMI doAction authentication is fixed
  • If a patch is not yet released, restrict network access to the RMI service so only trusted hosts can communicate with it
  • Monitor RMI traffic and audit logs for suspicious sessionId manipulation attempts

Generated by OpenCVE AI on May 10, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Industrial Application Software IAS Canias ERP RMI doAction improper authentication
Weaknesses CWE-287
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T00:15:09.439Z

Reserved: 2026-05-09T07:19:30.371Z

Link: CVE-2026-8214

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T01:16:07.907

Modified: 2026-05-10T01:16:07.907

Link: CVE-2026-8214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T03:00:03Z

Weaknesses