CVE-2026-4013 is an improper authorization vulnerability identified in version 1.0 of the SourceCodester Web-based Pharmacy Product Management System. The flaw exists in the add_admin.php script, which is responsible for administrative user management. Due to insufficient authorization checks, an attacker with limited privileges can remotely manipulate this function to escalate privileges or perform unauthorized administrative actions. The vulnerability does not require user interaction and can be exploited over the network without authentication beyond limited access rights. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), and no user interaction (UI:N), but requires low privileges (PR:L). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), as unauthorized admin access could lead to data exposure, modification, or disruption of pharmacy product management operations. No patches or known exploits are currently available, but the vulnerability poses a risk to organizations relying on this system for critical pharmaceutical inventory and administration. The vulnerability’s medium severity score (5.3) reflects the balance between ease of exploitation and limited impact scope. Given the critical nature of pharmacy management systems, unauthorized admin access could have serious operational and compliance consequences.

The vulnerability allows attackers with limited privileges to bypass authorization controls and gain unauthorized administrative capabilities within the pharmacy product management system. This can lead to unauthorized access to sensitive pharmaceutical inventory data, modification or deletion of product records, and disruption of pharmacy operations. Such impacts could compromise patient safety, regulatory compliance, and business continuity. While the vulnerability does not allow full system compromise without additional flaws, the ability to escalate privileges remotely increases the attack surface significantly. Organizations worldwide using this software risk data integrity issues, potential exposure of confidential pharmaceutical information, and operational downtime. The lack of known exploits currently reduces immediate risk, but the vulnerability could be targeted in the future, especially by attackers focusing on healthcare supply chains. The medium severity rating indicates a moderate risk that should be addressed promptly to prevent exploitation.

1. Immediately restrict network access to the web-based pharmacy management system, allowing only trusted internal IP addresses to connect to the administrative interface. 2. Implement strict role-based access controls (RBAC) and audit all administrative accounts to ensure least privilege principles are enforced. 3. Monitor logs for unusual activity related to add_admin.php or other administrative functions, including unexpected privilege escalations or account creations. 4. If possible, disable or restrict the add_admin.php functionality until a vendor patch or update is available. 5. Conduct a thorough security review of all authorization mechanisms within the application to identify and remediate similar flaws. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting administrative endpoints. 7. Maintain regular backups of critical data to enable recovery in case of data tampering or deletion. 8. Engage with the vendor or community to obtain updates or patches as soon as they are released and apply them promptly. 9. Educate system administrators and users about the risks of unauthorized access and the importance of secure credential management.