CVE-2026-12593
HIGHCVSS v4.0: 8.7
出典データ取得時点:
概要
- 深刻度
- HIGH
- CVSS
- 8.7 v4.0 · NVD
- EPSS
- このCVEはFIRST.orgからEPSSが提供されていません
- CISA KEV
- 非該当
- タイプ
- Missing Authorization · NVD CWE
- 攻撃条件(CVSSベクター)
- ネットワーク操作不要 · 出典: NVD ベクター
- 公開日
- 2026-07-09 · 更新日: 2026-07-09
- 参照情報
- 参照情報へ移動 (1)
CVSS / EPSS / KEV
出典 — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. データと出典
説明
The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.
参照情報
NVDが列挙した参照URLを、リンクのホスト・パターンに対する機械的な一致でグループ化したもの。ラベルはリンクの種別のみを示します。