CVE-2026-44260: CWE-863: Incorrect Authorization in efwGrp efw4.X
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.
AI Analysis
Technical Summary
The efw4.X Enterprise Framework for Web has an incorrect authorization vulnerability (CWE-863) in versions before 4.08.010. The readonly flag on the <efw:elFinder> JSP tag is designed to prevent file modifications by disabling UI elements and setting response metadata. However, no server-side event handler verifies the readonly flag before executing write operations. Consequently, an attacker can bypass client-side restrictions by sending crafted requests directly, enabling unauthorized file modifications. The vulnerability is addressed in efw4.X version 4.08.010.
Potential Impact
An attacker with at least low privileges can bypass intended readonly restrictions and perform unauthorized file operations, leading to full confidentiality and integrity compromise of affected files. Availability is not impacted. This can result in unauthorized data modification or deletion.
Mitigation Recommendations
A fix is available in efw4.X version 4.08.010. Users should upgrade to this version to remediate the vulnerability. Patch status is not explicitly confirmed beyond this version update, so verify with the vendor advisory for the latest remediation guidance.
CVE-2026-44260: CWE-863: Incorrect Authorization in efwGrp efw4.X
Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The efw4.X Enterprise Framework for Web has an incorrect authorization vulnerability (CWE-863) in versions before 4.08.010. The readonly flag on the <efw:elFinder> JSP tag is designed to prevent file modifications by disabling UI elements and setting response metadata. However, no server-side event handler verifies the readonly flag before executing write operations. Consequently, an attacker can bypass client-side restrictions by sending crafted requests directly, enabling unauthorized file modifications. The vulnerability is addressed in efw4.X version 4.08.010.
Potential Impact
An attacker with at least low privileges can bypass intended readonly restrictions and perform unauthorized file operations, leading to full confidentiality and integrity compromise of affected files. Availability is not impacted. This can result in unauthorized data modification or deletion.
Mitigation Recommendations
A fix is available in efw4.X version 4.08.010. Users should upgrade to this version to remediate the vulnerability. Patch status is not explicitly confirmed beyond this version update, so verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T16:33:55.844Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0399d6cbff5d86101a891e
Added to database: 5/12/2026, 9:21:26 PM
Last enriched: 5/12/2026, 9:36:59 PM
Last updated: 5/13/2026, 4:49:46 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.