CVE-2026-2079 identifies an improper authorization vulnerability in the yeqifu warehouse software, specifically within the Menu Management component's addMenu, updateMenu, and deleteMenu functions located in the MenuController.java source file. This flaw allows an unauthenticated remote attacker to perform unauthorized operations on menu data, bypassing intended access controls. The vulnerability arises from insufficient authorization checks in these functions, enabling manipulation of menu entries without proper permissions. The product follows a rolling release development model, which complicates version tracking; the affected code is identified by a specific commit hash (aaf29962ba407d22d991781de28796ee7b4670e4). Despite early reporting to the project maintainers, no patch or official response has been provided. The vulnerability has a CVSS 4.0 score of 5.3, reflecting medium severity due to its ease of exploitation (no authentication or user interaction required) but limited impact scope (low confidentiality, integrity, and availability impact). No known active exploitation in the wild has been documented, but a public exploit exists, increasing the risk of future attacks. The vulnerability primarily threatens the integrity and availability of menu management functions, potentially allowing attackers to alter or delete menu configurations, which could disrupt application workflows or lead to further privilege escalation if combined with other vulnerabilities.

The improper authorization vulnerability in yeqifu warehouse can lead to unauthorized modification or deletion of menu configurations, impacting the integrity and availability of the affected system's menu management functionality. For organizations relying on yeqifu warehouse for critical operations, this could disrupt normal workflows, cause denial of service in menu-dependent processes, or facilitate further attacks if attackers leverage altered menus to escalate privileges or inject malicious configurations. Since exploitation requires no authentication or user interaction and can be performed remotely, the attack surface is broad. However, the overall impact on confidentiality is low, as the vulnerability does not directly expose sensitive data. The medium severity rating reflects a moderate risk that could escalate if combined with other vulnerabilities or misconfigurations. Organizations worldwide using this software, especially in sectors where menu management controls access to critical functions, may face operational disruptions and increased risk of compromise.

1. Implement strict access control checks in the addMenu, updateMenu, and deleteMenu functions to ensure only authorized users can perform these operations. 2. Conduct a thorough code audit of the MenuController.java and related components to identify and remediate any other authorization weaknesses. 3. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block unauthorized menu management requests. 4. Monitor logs for unusual activity related to menu operations, including unexpected additions, updates, or deletions. 5. Restrict network access to the yeqifu warehouse management interfaces to trusted IP ranges or VPNs to reduce exposure. 6. Engage with the yeqifu project maintainers to obtain patches or updates addressing this vulnerability. 7. If possible, implement multi-factor authentication and role-based access control (RBAC) to limit the impact of compromised credentials. 8. Prepare incident response plans to quickly address potential exploitation attempts. 9. Consider temporary disabling of menu management functions if feasible until a patch is available.