CVE-2026-3185: Authorization Bypass in feiyuchuixue sz-boot-parent
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
AI Analysis
Technical Summary
CVE-2026-3185 is a medium severity authorization bypass vulnerability affecting the feiyuchuixue sz-boot-parent software up to version 1.3.2-beta. The vulnerability resides in an unspecified function within the /api/admin/sys-message/ API endpoint. By manipulating the messageId argument, an attacker can bypass authorization checks and access system messages that should be restricted to other users. This flaw does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The vulnerability compromises confidentiality by allowing unauthorized access to potentially sensitive messages, but does not affect integrity or availability. The vendor responded professionally by implementing message ownership verification in version 1.3.3-beta, ensuring users can only query messages related to themselves. The patch is identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802. Although no known exploits are currently active in the wild, the public availability of exploit information increases the likelihood of exploitation attempts. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low complexity, no privileges or user interaction required, and partial confidentiality impact.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of system messages, which could contain sensitive or administrative information. This compromises confidentiality and may aid attackers in reconnaissance or further attacks. Since the vulnerability does not affect integrity or availability, the direct damage is limited to information leakage. However, unauthorized access to administrative messages could expose internal system details, user data, or operational information, increasing the risk of targeted attacks or privilege escalation. Organizations running affected versions of sz-boot-parent in administrative or sensitive environments are at risk of data exposure. The ease of remote exploitation without authentication increases the threat surface, especially for publicly accessible API endpoints. While no active exploits are reported, the public exploit availability elevates the risk of opportunistic attacks. Failure to patch could lead to data breaches, compliance violations, and reputational damage.
Mitigation Recommendations
Organizations should immediately upgrade feiyuchuixue sz-boot-parent to version 1.3.3-beta or later, which contains the official patch implementing message ownership verification. Until the upgrade is applied, restrict access to the /api/admin/sys-message/ endpoint using network-level controls such as firewalls or API gateways to limit exposure to trusted users and IP addresses. Implement strict authentication and authorization mechanisms around administrative API endpoints to prevent unauthorized access. Conduct thorough audits of API usage logs to detect any anomalous access patterns related to messageId manipulation. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering. Regularly review and update access control policies to ensure least privilege principles are enforced. Finally, monitor threat intelligence feeds for any emerging exploit activity targeting this vulnerability.
Affected Countries
China, United States, India, Germany, Japan, South Korea, United Kingdom, France, Brazil, Russia
CVE-2026-3185: Authorization Bypass in feiyuchuixue sz-boot-parent
Description
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
AI-Powered Analysis
Technical Analysis
CVE-2026-3185 is a medium severity authorization bypass vulnerability affecting the feiyuchuixue sz-boot-parent software up to version 1.3.2-beta. The vulnerability resides in an unspecified function within the /api/admin/sys-message/ API endpoint. By manipulating the messageId argument, an attacker can bypass authorization checks and access system messages that should be restricted to other users. This flaw does not require authentication, user interaction, or privileges, and can be exploited remotely over the network. The vulnerability compromises confidentiality by allowing unauthorized access to potentially sensitive messages, but does not affect integrity or availability. The vendor responded professionally by implementing message ownership verification in version 1.3.3-beta, ensuring users can only query messages related to themselves. The patch is identified by commit aefaabfd7527188bfba3c8c9eee17c316d094802. Although no known exploits are currently active in the wild, the public availability of exploit information increases the likelihood of exploitation attempts. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low complexity, no privileges or user interaction required, and partial confidentiality impact.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of system messages, which could contain sensitive or administrative information. This compromises confidentiality and may aid attackers in reconnaissance or further attacks. Since the vulnerability does not affect integrity or availability, the direct damage is limited to information leakage. However, unauthorized access to administrative messages could expose internal system details, user data, or operational information, increasing the risk of targeted attacks or privilege escalation. Organizations running affected versions of sz-boot-parent in administrative or sensitive environments are at risk of data exposure. The ease of remote exploitation without authentication increases the threat surface, especially for publicly accessible API endpoints. While no active exploits are reported, the public exploit availability elevates the risk of opportunistic attacks. Failure to patch could lead to data breaches, compliance violations, and reputational damage.
Mitigation Recommendations
Organizations should immediately upgrade feiyuchuixue sz-boot-parent to version 1.3.3-beta or later, which contains the official patch implementing message ownership verification. Until the upgrade is applied, restrict access to the /api/admin/sys-message/ endpoint using network-level controls such as firewalls or API gateways to limit exposure to trusted users and IP addresses. Implement strict authentication and authorization mechanisms around administrative API endpoints to prevent unauthorized access. Conduct thorough audits of API usage logs to detect any anomalous access patterns related to messageId manipulation. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering. Regularly review and update access control policies to ensure least privilege principles are enforced. Finally, monitor threat intelligence feeds for any emerging exploit activity targeting this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-25T08:32:01.795Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699effa2b7ef31ef0b1d5e98
Added to database: 2/25/2026, 1:56:50 PM
Last enriched: 2/25/2026, 2:11:01 PM
Last updated: 2/25/2026, 4:58:15 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Google Disrupts Chinese Cyberespionage Campaign Targeting Telecoms, Governments
MediumCVE-2026-3206: CWE-404 Improper Resource Shutdown or Release in KrakenD KrakenD-CE
LowCVE-2026-27848: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Linksys MR9600
CriticalCVE-2026-27847: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Linksys MR9600
HighCVE-2026-27846: CWE-306 Missing Authentication for Critical Function in Linksys MR9600
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.