CVE-2026-2078 identifies an improper authorization vulnerability in the yeqifu warehouse software, specifically within the Permission Management component's controller class (PermissionController.java). The affected functions—addPermission, updatePermission, and deletePermission—fail to enforce proper authorization checks, allowing an attacker with limited privileges to remotely manipulate permissions without requiring user interaction or higher-level authentication. This vulnerability could enable unauthorized modification of access controls, potentially leading to privilege escalation or unauthorized data access. The vulnerability is present up to commit aaf29962ba407d22d991781de28796ee7b4670e4, but due to the product's rolling release model, exact affected versions are difficult to pinpoint. The CVSS 4.0 base score is 5.3 (medium), reflecting the ease of remote exploitation without user interaction but requiring some privilege level. The vendor has been notified but has not yet responded or issued a patch. Public exploit code is available, increasing the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability to a limited degree, primarily through unauthorized permission changes that could disrupt normal operations or expose sensitive data.

The improper authorization vulnerability in yeqifu warehouse could allow attackers with limited privileges to alter permission settings remotely, potentially escalating their access rights or disrupting permission configurations. This can lead to unauthorized data access, modification, or deletion, impacting confidentiality and integrity. Availability may also be affected if critical permissions are revoked or altered, causing denial of service to legitimate users. Organizations relying on yeqifu warehouse for permission management in their supply chain or warehouse operations could face operational disruptions, data breaches, or compliance violations. The public availability of exploit code increases the likelihood of targeted attacks, especially in environments where patching is delayed due to the rolling release model. The lack of vendor response and patch availability further exacerbates the risk, requiring organizations to implement compensating controls proactively.

Organizations should immediately audit and restrict access to the permission management functions within yeqifu warehouse, ensuring only trusted administrators have the necessary privileges. Implement network segmentation and firewall rules to limit remote access to the affected components. Monitor logs for unusual permission changes or access patterns indicative of exploitation attempts. Employ application-layer access controls or web application firewalls (WAFs) to detect and block unauthorized API calls targeting permission functions. Since no official patch is available, consider deploying temporary custom authorization checks or wrappers around the vulnerable functions if feasible. Stay alert for vendor updates or community patches and plan for rapid deployment once available. Conduct regular security assessments and penetration tests focusing on authorization controls in the warehouse system. Finally, educate administrators about the risk and signs of exploitation to improve incident response readiness.