CVE-2026-1733 is an improper authorization vulnerability found in Zhong Bang's CRMEB product, versions 5.6.0 through 5.6.3. The flaw resides in the detail/tidyOrder function within the API endpoint /api/store_integral/order/detail/:uni, where the order_id parameter is insufficiently validated. This allows an attacker to remotely manipulate the order_id argument to access order details that should be restricted, bypassing authorization controls. The vulnerability does not require user interaction and can be exploited without prior authentication but does require low privileges, indicating that an attacker with minimal access can leverage it. The vendor was notified early but did not respond or provide patches, and no official fixes or mitigations have been released. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. While no known exploits are currently active in the wild, the availability of public exploit code increases the risk of exploitation. The vulnerability primarily threatens confidentiality by exposing sensitive order information, which could lead to data leakage or further targeted attacks. The lack of vendor response and patch availability necessitates immediate attention from users of CRMEB to implement compensating controls.

For European organizations using Zhong Bang CRMEB, this vulnerability poses a risk of unauthorized disclosure of order-related data, potentially exposing customer information, transaction details, and business-sensitive order processing data. This could lead to privacy violations under GDPR, reputational damage, and potential financial losses if attackers leverage exposed data for fraud or social engineering. The medium severity reflects that while the vulnerability does not directly impact system integrity or availability, the confidentiality breach can have significant compliance and trust implications. Organizations in sectors such as retail, e-commerce, and supply chain management that rely on CRMEB for order management are particularly vulnerable. The remote exploitability and lack of required user interaction increase the attack surface, especially for externally facing API endpoints. The absence of vendor patches means organizations must rely on internal controls and monitoring to mitigate risk until an official fix is available.

1. Immediately restrict access to the /api/store_integral/order/detail/:uni endpoint using network-level controls such as IP whitelisting or VPN access to limit exposure. 2. Implement strict server-side authorization checks to validate that the requesting user or system has permission to access the specified order_id, ensuring that order data is only returned to authorized parties. 3. Employ API gateways or web application firewalls (WAFs) with custom rules to detect and block anomalous or unauthorized order_id parameter manipulations. 4. Monitor API logs for unusual access patterns or repeated attempts to access unauthorized order details, enabling early detection of exploitation attempts. 5. Conduct internal code reviews and penetration testing focused on authorization logic within CRMEB to identify and remediate similar flaws. 6. Engage with Zhong Bang or the wider CRMEB user community to track patch releases or official advisories. 7. Where possible, isolate CRMEB deployments from public internet exposure or use strong authentication and authorization mechanisms to reduce risk. 8. Educate relevant staff on the vulnerability and ensure incident response plans include scenarios involving unauthorized data access through CRMEB.