CVE-2026-2105 is an improper authorization vulnerability identified in the yeqifu warehouse software, specifically within the Department Management component's controller functions addDept, updateDept, and deleteDept. These functions reside in the DeptController.java file and are responsible for managing organizational department data. The vulnerability arises because these functions do not properly enforce authorization checks, allowing an attacker with low privileges to remotely invoke these functions and manipulate department data without sufficient permissions. This can lead to unauthorized creation, modification, or deletion of department records, potentially disrupting organizational workflows or enabling further privilege escalation. The vulnerability is remotely exploitable without user interaction and does not require elevated privileges beyond low-level access, increasing its risk profile. The product follows a rolling release model, complicating precise version tracking and patching. Although the vendor has been notified, no fix or response has been issued yet. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality, integrity, and availability, combined with ease of exploitation. No known exploits are currently active in the wild, but a proof-of-concept exploit exists, indicating a credible threat. Organizations using yeqifu warehouse should prioritize authorization controls and monitor for suspicious department management activities.

For European organizations, this vulnerability could lead to unauthorized manipulation of department data within the yeqifu warehouse system, potentially causing operational disruptions, data integrity issues, and unauthorized access pathways. In sectors where organizational structure data is critical—such as government, finance, healthcare, and manufacturing—this could result in misallocation of resources, erroneous reporting, or facilitate lateral movement by attackers. The lack of proper authorization checks may also allow attackers to create backdoors or hide malicious activities by altering department records. Given the remote exploitability and no requirement for user interaction, attackers could automate exploitation at scale. The rolling release nature complicates patch management, increasing the window of exposure. European entities relying on this software for internal management or supply chain operations may face increased risk of insider threat exploitation or external attackers leveraging this flaw to compromise broader systems.

European organizations should first conduct an immediate audit of yeqifu warehouse deployments to identify affected instances. Since no official patch or version details are available, organizations should implement compensating controls such as network segmentation to restrict access to the Department Management API endpoints, enforce strict access control lists limiting who can invoke addDept, updateDept, and deleteDept functions, and enable detailed logging and monitoring of department management activities to detect unauthorized changes. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting these functions. Additionally, organizations should consider deploying runtime application self-protection (RASP) tools to detect and block unauthorized API calls. Engaging with the vendor for updates and tracking any forthcoming patches is critical. If possible, temporarily disable or restrict department management features until a fix is available. Regularly review user privileges to ensure least privilege principles are enforced, minimizing the risk of low-privilege accounts being exploited.