{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/missing-authorization/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-41454"}],"_cs_exploited":false,"_cs_products":["WeKan"],"_cs_severities":["high"],"_cs_tags":["wekan","missing-authorization","rest-api","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["WeKan"],"content_html":"\u003cp\u003eWeKan, a collaborative Kanban board application, is vulnerable to a missing authorization issue in versions prior to 8.35. This flaw resides within the Integration REST API endpoints, where authenticated board members can execute administrative actions without sufficient privilege validation.  An attacker, if they are an authenticated user, can exploit this vulnerability to enumerate integrations, including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities. The root cause is insufficient authorization checks within the JsonRoutes REST handlers. Successful exploitation can lead to unauthorized access to sensitive information and modification of board configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a WeKan board member account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WeKan application via the standard login procedure.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint without proper administrative privileges.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization checks, the request is processed, and the attacker is able to enumerate existing integrations, including sensitive webhook URLs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint to create a new, malicious integration (e.g., a webhook that sends data to an external attacker-controlled server).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies existing integrations to redirect data flow to attacker-controlled endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes legitimate integrations, disrupting board functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker manages integration activities, potentially triggering malicious actions or gaining further information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to perform administrative actions on WeKan boards without proper authorization. This can lead to the exposure of sensitive webhook URLs, unauthorized modification or deletion of integrations, and the creation of malicious integrations for data exfiltration or disruption. The CVSS v3.1 score of 8.3 indicates a high severity vulnerability with significant potential for data compromise and system impact. The number of affected WeKan installations is currently unknown, but organizations using WeKan for project management and collaboration are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeKan to version 8.35 or later to patch CVE-2026-41454, addressing the missing authorization vulnerability as detailed in the \u003ca href=\"#references\"\u003ereference links\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WeKan Integration API Abuse\u0026rdquo; to identify potential exploitation attempts against the Integration REST API endpoints, monitoring webserver logs for unusual API requests.\u003c/li\u003e\n\u003cli\u003eReview and restrict access rights for WeKan board members, ensuring that only authorized personnel have administrative privileges to minimize the attack surface as outlined in the \u003ca href=\"#overview\"\u003eoverview\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/api/integration\u003c/code\u003e with methods like POST, PUT, and DELETE originating from non-admin users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:00:00Z","date_published":"2026-04-23T10:00:00Z","id":"/briefs/2026-04-wekan-missing-auth/","summary":"WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints, allowing authenticated board members to perform administrative actions without proper privilege verification, potentially leading to unauthorized data access and modification.","title":"WeKan Missing Authorization Vulnerability in Integration REST API","url":"https://feed.craftedsignal.io/briefs/2026-04-wekan-missing-auth/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4162"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","missing-authorization","plugin","cve-2026-4162"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with subscriber-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe plugin\u0026rsquo;s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to delete Gravity SMTP plugin options.\u003c/li\u003e\n\u003cli\u003eThe WordPress server processes the request, and the plugin options are deleted from the database.\u003c/li\u003e\n\u003cli\u003eThe Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect WordPress Plugin Uninstall via Missing Auth\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.\u003c/li\u003e\n\u003cli\u003eReview WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T10:16:04Z","date_published":"2026-04-10T10:16:04Z","id":"/briefs/2026-04-gravity-smtp-auth-bypass/","summary":"The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.","title":"Gravity SMTP Plugin Missing Authorization Vulnerability (CVE-2026-4162)","url":"https://feed.craftedsignal.io/briefs/2026-04-gravity-smtp-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2024-57726"}],"_cs_exploited":false,"_cs_products":["SimpleHelp"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","missing-authorization","cloud"],"_cs_type":"advisory","_cs_vendors":["SimpleHelp"],"content_html":"\u003cp\u003eCVE-2024-57726 affects SimpleHelp, a remote support software solution. This vulnerability stems from a missing authorization check, allowing low-privileged technicians to create API keys with elevated permissions beyond their intended scope. Specifically, these API keys can be manipulated to grant server admin privileges, potentially enabling unauthorized access to sensitive data and critical system configurations. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Successful exploitation allows attackers to bypass intended access controls, gain complete control over the SimpleHelp server, and potentially pivot to other systems within the network. This vulnerability was disclosed in January 2025, and organizations using affected SimpleHelp versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged technician logs into the SimpleHelp console with their existing credentials.\u003c/li\u003e\n\u003cli\u003eThe technician leverages the missing authorization vulnerability to create a new API key.\u003c/li\u003e\n\u003cli\u003eDuring API key creation, the attacker manipulates the request to assign excessive permissions beyond their authorized access level.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created API key to authenticate against the SimpleHelp API.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated permissions granted by the manipulated API key to access administrative functions.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates their privileges to the server admin role, granting them complete control over the SimpleHelp server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the server admin role to access sensitive data, modify system configurations, or create new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems within the network using the compromised SimpleHelp server as a stepping stone.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-57726 allows low-privileged technicians, or malicious actors who have compromised technician accounts, to escalate their privileges to the server admin role in SimpleHelp. This grants them complete control over the SimpleHelp server, potentially leading to data breaches, system downtime, and further compromise of the network. The vulnerability affects organizations using SimpleHelp versions 5.5.7 and earlier. The number of victims and specific sectors targeted remain unknown, but the potential impact is significant due to the sensitive nature of remote support software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply mitigations provided by SimpleHelp to patch the missing authorization vulnerability in SimpleHelp versions 5.5.7 and earlier (reference: \u003ca href=\"https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier)\"\u003ehttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SimpleHelp API Key Creation\u003c/code\u003e to identify attempts to create API keys with excessive permissions.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services or discontinue use of SimpleHelp if mitigations are unavailable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-25T12:00:00Z","date_published":"2024-06-25T12:00:00Z","id":"/briefs/2024-06-simplehelp-privesc/","summary":"A missing authorization vulnerability in SimpleHelp (CVE-2024-57726) allows low-privileged technicians to create API keys with excessive permissions, potentially escalating privileges to the server admin role.","title":"SimpleHelp Missing Authorization Vulnerability Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-06-simplehelp-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Missing-Authorization","version":"https://jsonfeed.org/version/1.1"}