The vulnerability identified as CVE-2026-3186 affects the feiyuchuixue sz-boot-parent software up to version 1.3.2-beta. The issue resides in the password reset functionality exposed via the API endpoint /api/admin/sys-user/reset/password/. Specifically, the vulnerability arises from improper handling of the userId argument, which allows an attacker to reset any user's password to a default password without proper authorization checks. This means that an unauthenticated remote attacker can manipulate the password reset process to gain access to user accounts by leveraging the default password. The root cause is the lack of authorization validation on the password reset interface, permitting unauthorized password resets. The vendor addressed this vulnerability in version 1.3.3-beta by implementing authorization validation, ensuring only users with appropriate permissions can perform password resets. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level. The exploit has been publicly disclosed, but no known exploits in the wild have been reported yet. The vulnerability impacts confidentiality and integrity by enabling unauthorized account access and potential privilege escalation. The attack vector is network-based, requiring no authentication or user interaction, making it relatively easy to exploit remotely. The scope is limited to deployments using the affected versions of sz-boot-parent. The vendor responded professionally by promptly releasing a patch and improving security controls.

This vulnerability allows remote attackers to reset user passwords to a default value without authorization, leading to unauthorized access to user accounts. This can compromise the confidentiality of sensitive information and integrity of user data. Attackers could leverage this to escalate privileges, impersonate legitimate users, or disrupt normal operations by locking out users. Organizations relying on affected versions of sz-boot-parent risk account takeovers, potential data breaches, and operational disruptions. Since the exploit requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of exploitation in exposed environments. The impact is particularly significant for organizations with sensitive or critical systems relying on this software for user management. Although no active exploitation has been reported, the public disclosure increases the risk of opportunistic attacks. Failure to patch could lead to reputational damage, regulatory penalties, and financial losses.

Organizations should immediately upgrade feiyuchuixue sz-boot-parent to version 1.3.3-beta or later, which includes authorization validation on the password reset interface. Until the upgrade is applied, restrict network access to the password reset API endpoint to trusted administrators only, using network segmentation and firewall rules. Implement monitoring and alerting for unusual password reset activities, especially resets to default passwords or resets initiated from unexpected IP addresses. Conduct regular audits of user accounts and password reset logs to detect unauthorized resets. Enforce strong password policies and consider multi-factor authentication to reduce the impact of compromised accounts. Review and tighten access controls for administrative functions related to user management. Additionally, perform penetration testing focused on authentication and password reset mechanisms to identify any residual weaknesses. Maintain timely patch management processes and subscribe to vendor security advisories for early warnings.