CVE-2026-1597 is an improper authorization vulnerability identified in Bdtask SalesERP, a business resource planning software widely used for sales and inventory management. The flaw exists in the processing of the ci_session argument within the Administrative Endpoint component. Improper validation or manipulation of this argument allows an attacker to bypass authorization checks remotely, gaining unauthorized administrative access without requiring authentication or user interaction. This can lead to unauthorized access to sensitive administrative functions, potentially enabling data leakage, unauthorized modifications, or disruption of ERP operations. The vulnerability affects versions up to 20260116, and the vendor has not issued any patches or responses despite early notification. The CVSS 4.0 vector indicates low complexity (AC:L), no privileges required (PR:L but no authentication needed), no user interaction, and partial impact on confidentiality, integrity, and availability. The exploitability is rated as probable (E:P), but no known exploits have been observed in the wild yet. The lack of vendor response and public disclosure increases the risk of exploitation by threat actors. Organizations relying on SalesERP should consider this vulnerability a significant risk to their administrative controls and overall ERP security posture.

For European organizations, especially SMEs and enterprises using Bdtask SalesERP, this vulnerability poses a risk of unauthorized administrative access to critical business systems. Exploitation could lead to exposure or manipulation of sensitive sales, inventory, and customer data, undermining confidentiality and integrity. Unauthorized changes to ERP configurations or data could disrupt business operations, impacting availability and causing financial and reputational damage. The remote nature of the exploit increases the attack surface, particularly for organizations exposing ERP administrative endpoints to the internet or poorly segmented internal networks. Given the lack of vendor patching, organizations may face prolonged exposure, increasing the window for potential attacks. Compliance with data protection regulations such as GDPR could be jeopardized if sensitive personal data is accessed or altered without authorization. The medium severity rating suggests moderate but non-trivial impact, warranting prioritized mitigation efforts.

1. Immediately restrict network access to the SalesERP Administrative Endpoint by implementing IP whitelisting or VPN-only access to limit exposure to trusted users. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the ci_session parameter. 3. Conduct thorough access control reviews and harden authorization mechanisms within SalesERP configurations where possible. 4. Monitor logs for unusual administrative access patterns or failed authorization attempts indicative of exploitation attempts. 5. Isolate ERP systems from public-facing networks and segment them within internal networks to reduce lateral movement risk. 6. Engage with Bdtask or community forums for any unofficial patches, workarounds, or updates. 7. Prepare incident response plans specific to ERP compromise scenarios. 8. Consider deploying multi-factor authentication (MFA) for administrative access if supported by the platform as an additional layer of defense. 9. Regularly back up ERP data and configurations to enable recovery in case of compromise. 10. Stay alert for any future vendor advisories or third-party patches addressing this vulnerability.