CVE-2026-2850 identifies an improper access control vulnerability within the yeqifu warehouse software, specifically in the CustomerController.java component that handles customer management functions (addCustomer, updateCustomer, deleteCustomer). The vulnerability allows remote attackers to perform unauthorized operations on customer data by exploiting insufficient access control checks in these API endpoints. The affected version is identified by a specific commit hash (aaf29962ba407d22d991781de28796ee7b4670e4), but due to the product's rolling release model, other versions may also be vulnerable. The CVSS 4.0 score of 5.3 reflects a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and no user interaction (UI:N). The impact includes limited confidentiality, integrity, and availability consequences, as attackers can manipulate customer records remotely. The vulnerability was responsibly disclosed but remains unpatched, and a public exploit exists, increasing the risk of exploitation. No known active exploitation campaigns have been reported to date. The lack of vendor response and patch availability necessitates immediate mitigation efforts by users of this software.

The vulnerability allows unauthorized remote modification of customer data, which can lead to data integrity issues, unauthorized data disclosure, or denial of service through deletion or corruption of customer records. Organizations relying on yeqifu warehouse for customer management may face operational disruptions, loss of customer trust, and potential regulatory compliance violations if sensitive customer information is altered or exposed. The medium severity indicates that while the impact is not catastrophic, it is significant enough to warrant prompt attention, especially in environments where customer data integrity is critical. Attackers with network access and limited privileges can exploit this flaw without user interaction, increasing the attack surface. The absence of authentication bypass reduces the risk somewhat but does not eliminate the threat, particularly in multi-tenant or shared network environments.

Until an official patch is released, organizations should implement strict network segmentation to limit access to the Customer Endpoint APIs only to trusted internal systems and users. Employ strong authentication and authorization mechanisms to ensure that only authorized personnel can invoke addCustomer, updateCustomer, and deleteCustomer functions. Conduct thorough access control audits and code reviews to identify and remediate similar flaws in custom or integrated components. Monitor logs for unusual activity related to customer data operations and establish alerting for unauthorized access attempts. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block suspicious API calls targeting customer management endpoints. Engage with the vendor for updates and apply patches promptly once available. Additionally, implement data backup and recovery procedures to mitigate the impact of potential data manipulation or deletion.