CVE-2026-2549 identifies an improper access control vulnerability in the zhanghuanhao LibrarySystem 图书馆管理系统, specifically affecting versions 1.1.0 and 1.1.1. The flaw resides in an unknown function within the BookController.java file, which likely handles book-related operations in the system. Improper access control means that the system fails to adequately restrict user permissions, allowing unauthorized remote attackers to perform actions that should be restricted. The vulnerability requires no authentication or user interaction, making it easier to exploit remotely over a network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploit has been publicly disclosed, increasing the risk of exploitation, although no active exploitation in the wild has been confirmed. The vendor has been notified but has not yet issued a patch or response. The lack of a patch means that affected organizations must rely on alternative mitigation strategies. The vulnerability could allow attackers to access or modify sensitive library data, disrupt services, or perform unauthorized operations, potentially impacting library users and administrators.

The vulnerability could lead to unauthorized access or modification of library management data, including book records, user information, and transaction logs. This compromises confidentiality and integrity, potentially exposing sensitive patron data or corrupting the library catalog. Availability could also be affected if attackers disrupt normal operations or cause denial of service. For organizations relying on this system, especially public or academic libraries, this could result in loss of trust, operational disruptions, and compliance issues related to data protection. Since the vulnerability is remotely exploitable without authentication, the attack surface is broad, increasing the likelihood of exploitation. The public disclosure of the exploit further elevates the risk. The impact is particularly significant for libraries with sensitive or regulated data or those integrated with other institutional systems. The medium CVSS score reflects a moderate but non-trivial risk that requires attention.

Until an official patch is released, organizations should implement strict network-level access controls to limit exposure of the LibrarySystem to trusted internal networks only. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the BookController endpoints. Conduct thorough access reviews and enforce the principle of least privilege for all user roles within the system. Monitor logs for unusual access patterns or unauthorized operations related to book management functions. If possible, isolate the affected system from critical infrastructure and sensitive data stores to contain potential breaches. Engage with the vendor or community to track patch releases or updates. Consider deploying intrusion detection systems (IDS) with signatures tuned for this vulnerability. Finally, educate staff about the risks and signs of exploitation to enable rapid response.