https://feed.craftedsignal.io/tags/missing-authorization/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 10:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-wekan-missing-auth/Thu, 23 Apr 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-wekan-missing-auth/WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints, allowing authenticated board members to perform administrative actions without proper privilege verification, potentially leading to unauthorized data access and modification.WeKan, a collaborative Kanban board application, is vulnerable to a missing authorization issue in versions prior to 8.35. This flaw resides within the Integration REST API endpoints, where authenticated board members can execute administrative actions without sufficient privilege validation. An attacker, if they are an authenticated user, can exploit this vulnerability to enumerate integrations, including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities. The root cause is insufficient authorization checks within the JsonRoutes REST handlers. Successful exploitation can lead to unauthorized access to sensitive information and modification of board configurations.

Attack Chain

1. An attacker gains valid credentials for a WeKan board member account.
2. The attacker authenticates to the WeKan application via the standard login procedure.
3. The attacker sends a crafted HTTP request to the /api/integration endpoint without proper administrative privileges.
4. Due to missing authorization checks, the request is processed, and the attacker is able to enumerate existing integrations, including sensitive webhook URLs.
5. The attacker crafts another HTTP request to the /api/integration endpoint to create a new, malicious integration (e.g., a webhook that sends data to an external attacker-controlled server).
6. The attacker modifies existing integrations to redirect data flow to attacker-controlled endpoints.
7. The attacker deletes legitimate integrations, disrupting board functionality.
8. The attacker manages integration activities, potentially triggering malicious actions or gaining further information.

Impact

Successful exploitation of this vulnerability allows an attacker to perform administrative actions on WeKan boards without proper authorization. This can lead to the exposure of sensitive webhook URLs, unauthorized modification or deletion of integrations, and the creation of malicious integrations for data exfiltration or disruption. The CVSS v3.1 score of 8.3 indicates a high severity vulnerability with significant potential for data compromise and system impact. The number of affected WeKan installations is currently unknown, but organizations using WeKan for project management and collaboration are at risk.

Recommendation

• Upgrade WeKan to version 8.35 or later to patch CVE-2026-41454, addressing the missing authorization vulnerability as detailed in the reference links.
• Deploy the Sigma rule “Detect WeKan Integration API Abuse” to identify potential exploitation attempts against the Integration REST API endpoints, monitoring webserver logs for unusual API requests.
• Review and restrict access rights for WeKan board members, ensuring that only authorized personnel have administrative privileges to minimize the attack surface as outlined in the overview.
• Monitor webserver logs for requests to /api/integration with methods like POST, PUT, and DELETE originating from non-admin users.

]]>highadvisorywekanmissing-authorizationrest-apiprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-gravity-smtp-auth-bypass/Fri, 10 Apr 2026 10:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-gravity-smtp-auth-bypass/The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.The Gravity SMTP plugin, a WordPress extension facilitating email sending through SMTP, contains a missing authorization vulnerability (CVE-2026-4162) affecting versions 2.1.4 and earlier. This flaw allows authenticated users with minimal subscriber-level permissions to perform administrative actions such as uninstalling and deactivating the plugin, as well as deleting its associated options. The vulnerability stems from the plugin failing to properly validate user authorization before executing sensitive functions. Additionally, the vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack. Patches have been released in Gravity SMTP version 2.1.5 to address this security concern. Exploitation of this vulnerability allows low-privileged users to disrupt email functionality and potentially compromise WordPress configurations.

Attack Chain

1. An attacker authenticates to the WordPress site with subscriber-level or higher privileges.
2. The attacker crafts a malicious HTTP request to uninstall the Gravity SMTP plugin, leveraging the missing authorization vulnerability. This request targets the WordPress plugin management endpoint.
3. Alternatively, the attacker crafts a CSRF attack that tricks a privileged user into triggering the malicious HTTP request to uninstall the plugin.
4. The WordPress server receives the crafted request without proper authorization checks.
5. The plugin’s uninstall function is executed, removing the Gravity SMTP plugin from the WordPress installation.
6. The attacker crafts another HTTP request to delete Gravity SMTP plugin options.
7. The WordPress server processes the request, and the plugin options are deleted from the database.
8. The Gravity SMTP plugin is uninstalled and deactivated, and its settings are removed, disrupting the email functionality of the WordPress site.

Impact

Successful exploitation of CVE-2026-4162 allows attackers with low-level privileges on a WordPress site to disable email functionality and manipulate plugin settings. While the number of affected installations remains unknown, the impact can be significant for organizations heavily reliant on WordPress for communication or critical business processes, potentially leading to disruption of services, loss of email functionality, and unauthorized access to sensitive data or configurations. The CVSS v3.1 score of 7.1 indicates a high severity, considering the ease of exploitation and the potential for widespread disruption.

Recommendation

• Upgrade the Gravity SMTP plugin to version 2.1.5 or later to patch CVE-2026-4162.
• Monitor WordPress access logs for unauthorized requests targeting the plugin management endpoints to detect potential exploitation attempts. Deploy the Sigma rule Detect WordPress Plugin Uninstall via Missing Auth to identify suspicious activity.
• Implement CSRF protection mechanisms within WordPress plugins to mitigate the risk of CSRF-based exploitation.
• Review WordPress user roles and permissions to minimize the attack surface and restrict access to sensitive functionalities.

]]>mediumadvisorywordpressmissing-authorizationplugincve-2026-4162https://feed.craftedsignal.io/briefs/2024-06-simplehelp-privesc/Tue, 25 Jun 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-06-simplehelp-privesc/A missing authorization vulnerability in SimpleHelp (CVE-2024-57726) allows low-privileged technicians to create API keys with excessive permissions, potentially escalating privileges to the server admin role.CVE-2024-57726 affects SimpleHelp, a remote support software solution. This vulnerability stems from a missing authorization check, allowing low-privileged technicians to create API keys with elevated permissions beyond their intended scope. Specifically, these API keys can be manipulated to grant server admin privileges, potentially enabling unauthorized access to sensitive data and critical system configurations. The vulnerability impacts SimpleHelp versions 5.5.7 and earlier. Successful exploitation allows attackers to bypass intended access controls, gain complete control over the SimpleHelp server, and potentially pivot to other systems within the network. This vulnerability was disclosed in January 2025, and organizations using affected SimpleHelp versions are at risk.

Attack Chain

1. A low-privileged technician logs into the SimpleHelp console with their existing credentials.
2. The technician leverages the missing authorization vulnerability to create a new API key.
3. During API key creation, the attacker manipulates the request to assign excessive permissions beyond their authorized access level.
4. The attacker uses the newly created API key to authenticate against the SimpleHelp API.
5. The attacker leverages the elevated permissions granted by the manipulated API key to access administrative functions.
6. The attacker escalates their privileges to the server admin role, granting them complete control over the SimpleHelp server.
7. The attacker uses the server admin role to access sensitive data, modify system configurations, or create new administrative accounts.
8. The attacker potentially pivots to other systems within the network using the compromised SimpleHelp server as a stepping stone.

Impact

Successful exploitation of CVE-2024-57726 allows low-privileged technicians, or malicious actors who have compromised technician accounts, to escalate their privileges to the server admin role in SimpleHelp. This grants them complete control over the SimpleHelp server, potentially leading to data breaches, system downtime, and further compromise of the network. The vulnerability affects organizations using SimpleHelp versions 5.5.7 and earlier. The number of victims and specific sectors targeted remain unknown, but the potential impact is significant due to the sensitive nature of remote support software.

Recommendation

• Apply mitigations provided by SimpleHelp to patch the missing authorization vulnerability in SimpleHelp versions 5.5.7 and earlier (reference: https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier).
• Deploy the Sigma rule Detect Suspicious SimpleHelp API Key Creation to identify attempts to create API keys with excessive permissions.
• Follow applicable BOD 22-01 guidance for cloud services or discontinue use of SimpleHelp if mitigations are unavailable.

]]>highadvisoryprivilege-escalationmissing-authorizationcloud