Skip to content
Threat Feed
high advisory

CVE-2026-14753: mjperpinosa stumasy Authorization Bypass

A critical authorization bypass vulnerability (CVE-2026-14753) has been identified in mjperpinosa stumasy, affecting versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw, residing in an unknown function within the /PHP/objects/notes file of the Note Handler/Assignment Handler component, allows a remote attacker to bypass authorization by manipulating the 'assignment_item_id' argument. A public exploit is available, posing an immediate threat.

A significant authorization bypass vulnerability, identified as CVE-2026-14753, has been discovered in mjperpinosa stumasy, affecting all versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw exists within an unspecified function of the /PHP/objects/notes file, part of the Note Handler/Assignment Handler component. Exploitation occurs when a remote attacker manipulates the assignment_item_id argument, leading to an authorization bypass. The vulnerability is considered critical due to a publicly available exploit, enabling immediate threat to affected systems. As mjperpinosa stumasy utilizes continuous delivery with rolling releases, specific version details for affected or patched releases are not available, complicating remediation efforts. While the project was notified via an issue report, no response or fix has been released to date, making immediate detection and mitigation crucial for defenders.

Attack Chain

  1. An attacker identifies a publicly accessible instance of mjperpinosa stumasy.
  2. The attacker crafts a malicious HTTP request targeting the /PHP/objects/notes endpoint of the application.
  3. Within this request, the attacker manipulates the assignment_item_id argument to an unauthorized or unintended value.
  4. The vulnerable stumasy application processes the malformed request through its Note Handler/Assignment Handler component.
  5. Due to the flaw, the application's authorization checks are bypassed, granting the attacker unauthorized access.
  6. The attacker can now perform actions or access data that would normally require higher privileges or proper authorization within the stumasy application.

Impact

The successful exploitation of CVE-2026-14753 allows a remote attacker to bypass authorization controls within mjperpinosa stumasy. This can lead to unauthorized access to sensitive notes, assignments, or potentially other functionalities handled by the affected component. Given the nature of an authorization bypass, an attacker could escalate privileges, modify or delete data, or access information they are not permitted to see, depending on the context of the Note Handler/Assignment Handler. The availability of a public exploit significantly increases the risk of widespread attacks against unpatched or unmitigated instances, potentially compromising the integrity and confidentiality of data managed by the stumasy application.

Recommendation

  • If mjperpinosa releases a fix, apply it immediately to all stumasy instances due to the public exploit (CVE-2026-14753).
  • Monitor web server access logs for suspicious HTTP requests targeting the /PHP/objects/notes path that include unusual or malformed assignment_item_id parameters.
  • Deploy a Web Application Firewall (WAF) to detect and block requests that attempt to manipulate the assignment_item_id argument, looking for patterns indicative of authorization bypass attempts against the Note Handler/Assignment Handler component.
  • Regularly review audit logs for the stumasy application for any unauthorized actions or access patterns observed within the Note Handler/Assignment Handler component.

Indicators of compromise

1

hash_sha1

TypeValue
hash_sha1327d1b0f2915ba79d7ef8ebb74553e987609d9be