CVE-2026-2851 is a vulnerability identified in the yeqifu warehouse software, specifically within the Inport Endpoint component's addInport, updateInport, and deleteInport functions located in the InportController.java file. The issue stems from improper access control mechanisms that fail to adequately restrict remote users from executing these functions. This improper access control allows attackers with limited privileges (PR:L) to remotely manipulate warehouse import data without requiring authentication or user interaction. The vulnerability affects versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4, but due to the product's rolling release model, exact versioning is unclear. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no authentication needed, and limited impact on confidentiality, integrity, and availability. The vulnerability was responsibly disclosed early to the project, but no vendor response or patch is currently available. The exploit has been publicly disclosed, increasing the risk of exploitation. The vulnerability could allow unauthorized data manipulation in warehouse import records, potentially disrupting business operations or corrupting critical inventory data.

The improper access control vulnerability could allow attackers with limited privileges to remotely add, update, or delete import records in the yeqifu warehouse system. This can lead to unauthorized data modification, resulting in data integrity loss and potential disruption of warehouse operations. Organizations relying on accurate inventory and import data may face operational inefficiencies, financial losses, or supply chain disruptions. Although the impact on confidentiality is limited, the integrity and availability of critical warehouse data are at risk. The lack of authentication requirements lowers the barrier for exploitation, increasing the threat surface. Since the product is used in warehouse management, industries such as manufacturing, logistics, and retail could be particularly affected. The absence of a vendor patch means organizations must rely on compensating controls, increasing operational risk until remediation is available.

1. Implement strict network-level access controls to restrict access to the Inport Endpoint functions, allowing only trusted internal IP addresses or VPN users. 2. Employ application-layer access control mechanisms such as web application firewalls (WAFs) to detect and block unauthorized requests targeting addInport, updateInport, and deleteInport endpoints. 3. Monitor logs for unusual activity related to these functions, including unexpected remote calls or changes to import data. 4. Enforce the principle of least privilege for users and services interacting with the warehouse system to minimize the risk of privilege abuse. 5. If possible, disable or restrict the vulnerable endpoints temporarily until an official patch or update is released. 6. Engage with the yeqifu project or vendor to obtain updates or patches and apply them promptly once available. 7. Conduct regular security assessments and penetration tests focusing on access control mechanisms within the warehouse application. 8. Educate internal teams about this vulnerability and encourage vigilance for suspicious activity related to warehouse data manipulation.