CVE-2026-2850 identifies an improper access control vulnerability in the yeqifu warehouse software, specifically within the CustomerController.java file's addCustomer, updateCustomer, and deleteCustomer functions. These functions are part of the Customer Endpoint component responsible for managing customer data. The vulnerability allows remote attackers to perform unauthorized operations on customer records due to insufficient access control checks. The exploit does not require user interaction and can be executed remotely with low privileges, increasing the attack surface. The product follows a rolling release model, which means affected versions are not clearly delineated, complicating patch management and vulnerability mitigation. The vulnerability was responsibly disclosed but remains unpatched as of the publication date. The CVSS 4.0 base score is 5.3 (medium), reflecting moderate impact on confidentiality, integrity, and availability, with ease of exploitation. No known exploits are currently observed in the wild, but public exploit code is available, raising the risk of future attacks.

If exploited, this vulnerability could allow attackers to manipulate customer data by adding, updating, or deleting records without proper authorization. This compromises data integrity and confidentiality, potentially leading to unauthorized data disclosure, data corruption, or denial of service if critical customer data is deleted or altered. Organizations relying on yeqifu warehouse for customer management may face operational disruptions, reputational damage, and regulatory compliance issues due to unauthorized data manipulation. The ease of remote exploitation without user interaction or elevated privileges increases the likelihood of attacks, especially in environments with exposed or poorly segmented network access. The rolling release deployment model may delay patch application, prolonging exposure. Overall, the vulnerability poses a moderate risk to organizations handling sensitive customer information through this platform.

1. Immediately audit and restrict access controls on the Customer Endpoint functions (addCustomer, updateCustomer, deleteCustomer) to ensure only authorized users can perform these operations. 2. Implement strict authentication and authorization checks at the application layer, including role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms. 3. Employ network segmentation and firewall rules to limit external access to the yeqifu warehouse management interfaces. 4. Monitor logs for unusual activity related to customer data manipulation, such as unexpected additions, updates, or deletions. 5. If possible, deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting these endpoints. 6. Engage with the yeqifu project maintainers to obtain patches or updates and apply them promptly once available. 7. Consider implementing multi-factor authentication (MFA) for users with access to customer management functions to reduce risk from compromised credentials. 8. Conduct regular security assessments and code reviews focusing on access control enforcement in critical application components. 9. Maintain an incident response plan to quickly address any exploitation attempts or breaches related to this vulnerability.