CVE-2026-1733 is an improper authorization vulnerability found in Zhong Bang's CRMEB product, specifically in versions 5.6.0 through 5.6.3. The flaw resides in the API endpoint /api/store_integral/order/detail/:uni within the detail/tidyOrder function. By manipulating the order_id argument, an attacker can bypass authorization controls and access order details that should be restricted. This vulnerability does not require authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 vector indicates no privileges or user interaction are needed, and the impact is limited to confidentiality with low integrity and availability impact. The vendor was contacted but did not respond, and no official patch has been released. A public exploit is available, increasing the likelihood of exploitation. This vulnerability could lead to unauthorized disclosure of sensitive order information, potentially exposing customer data and business transaction details. The lack of vendor response and patch availability necessitates immediate attention from organizations using affected versions.

The primary impact of CVE-2026-1733 is unauthorized disclosure of order-related data, which can include sensitive customer and transactional information. This can lead to privacy violations, loss of customer trust, and potential regulatory compliance issues, especially in jurisdictions with strict data protection laws. Attackers exploiting this vulnerability could gather intelligence on business operations or customer purchasing behavior. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach alone can have significant reputational and financial consequences. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad. Organizations worldwide using Zhong Bang CRMEB in e-commerce or retail sectors are at risk, particularly those with high volumes of sensitive order data. The availability of a public exploit increases the risk of automated scanning and exploitation attempts.

Organizations should immediately audit their CRMEB installations to identify affected versions (5.6.0 to 5.6.3). In the absence of an official patch, implement strict access control checks on the /api/store_integral/order/detail/:uni endpoint to ensure order_id parameters are validated against the requesting user's permissions. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting this endpoint, especially those with unusual or out-of-context order_id values. Monitor logs for anomalous access patterns or repeated attempts to access unauthorized order details. Restrict API access to trusted networks or authenticated users where possible, even if the vulnerability does not require authentication. Engage with Zhong Bang for updates or patches and plan for timely upgrades once available. Additionally, conduct security awareness training for developers and administrators to recognize and remediate improper authorization issues in custom or third-party applications.