CVE-2026-2852 identifies an improper access control vulnerability in the yeqifu warehouse software, specifically within the SalesController.java file's addSales, updateSales, and deleteSales functions. These functions are responsible for managing sales data through the Sales Endpoint component. Due to insufficient authorization checks, attackers with limited privileges can remotely invoke these functions to add, modify, or delete sales records without proper permissions. The vulnerability is exploitable over the network without requiring user interaction or elevated privileges beyond limited access, increasing its risk profile. The yeqifu warehouse product follows a rolling release strategy, which means that affected versions are continuously updated, making it difficult to pinpoint exact vulnerable versions or patches. The vulnerability was responsibly disclosed early but remains unpatched as of the publication date. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, with ease of exploitation and no user interaction needed. No known exploits in the wild have been reported yet, but a public exploit exists, increasing the urgency for mitigation.

This vulnerability can lead to unauthorized manipulation of sales data, impacting data integrity and potentially availability of sales records. Attackers could add fraudulent sales entries, alter existing sales data, or delete critical sales information, which can disrupt business operations, financial reporting, and inventory management. The improper access controls could also lead to loss of trust in the system's data accuracy, regulatory compliance issues, and financial losses. Since the exploit can be performed remotely without user interaction, attackers can automate attacks at scale, increasing the risk for organizations relying on yeqifu warehouse for sales management. The medium severity rating indicates a moderate but tangible risk that could escalate if combined with other vulnerabilities or insider threats.

Organizations should immediately audit and strengthen access control mechanisms on the SalesController endpoints (addSales, updateSales, deleteSales). Implement strict authorization checks ensuring only properly authenticated and authorized users can perform sales data modifications. Employ role-based access control (RBAC) or attribute-based access control (ABAC) to limit access to these functions. Monitor logs for unusual activity related to sales data changes. If possible, isolate the sales management interfaces behind additional network controls such as VPNs or IP whitelisting. Engage with the yeqifu project or vendor to obtain patches or updates as they become available. In the interim, consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting these endpoints. Regularly review and update security policies and conduct penetration testing focused on access control weaknesses.