CVE-2026-2549 identifies an improper access control vulnerability in the zhanghuanhao LibrarySystem 图书馆管理系统, specifically affecting versions 1.1.0 and 1.1.1. The flaw resides in the BookController.java file, where certain functions fail to enforce proper authorization checks. This allows remote attackers to bypass access restrictions, potentially accessing or manipulating sensitive library data without any authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with attack vector being network-based and low attack complexity. The impact affects confidentiality, integrity, and availability to a limited extent. The vulnerability was responsibly disclosed via an issue report, but the vendor has not yet provided a fix or patch. No known active exploits have been reported in the wild, but public disclosure increases the risk of exploitation attempts. The lack of authentication requirements and remote exploitability make this vulnerability a concern for organizations relying on this library management system, especially those managing sensitive or regulated data. The vulnerability highlights the importance of rigorous access control enforcement in web applications managing critical data assets.

For European organizations, this vulnerability could lead to unauthorized access to library management data, including potentially sensitive user information, borrowing records, or catalog details. The improper access controls could allow attackers to view or modify data, impacting confidentiality and integrity. Availability impacts may arise if attackers manipulate data or system functions to disrupt normal operations. While the vulnerability does not require authentication or user interaction, the scope is limited to the affected versions of the zhanghuanhao LibrarySystem, which may not be widely deployed across Europe. However, institutions such as universities, public libraries, or research centers using this system could face data breaches or operational disruptions. The public disclosure without a patch increases the urgency for affected organizations to implement mitigations. Compliance with data protection regulations like GDPR may be at risk if personal data is exposed or altered due to exploitation of this vulnerability.

Since no official patch is currently available, organizations should implement compensating controls immediately. These include: 1) Conducting a thorough audit of access control mechanisms within the LibrarySystem, especially focusing on the BookController.java functions, to identify and restrict unauthorized access paths. 2) Applying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable endpoints. 3) Restricting network access to the LibrarySystem to trusted internal networks or VPNs to reduce exposure to remote attackers. 4) Monitoring logs for unusual access patterns or unauthorized data queries related to the affected components. 5) Engaging with the vendor or community to track patch releases and apply updates promptly once available. 6) Considering temporary migration to alternative library management solutions if the risk is deemed unacceptable. 7) Educating staff about the vulnerability and potential indicators of compromise to enhance detection capabilities.