CVE-2026-46407: CWE-639: Authorization Bypass Through User-Controlled Key in givanz Vvveb
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.
AI Analysis
Technical Summary
CVE-2026-46407 is an authorization bypass vulnerability in givanz Vvveb CMS before version 1.0.8.3. The issue arises because the admin/auth-token endpoint does not properly restrict access to API tokens, allowing an authenticated administrator to supply another administrator's admin_id and retrieve that user's REST API token list. This leads to unauthorized disclosure of sensitive API tokens. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS 3.1 score of 8.1, indicating high severity. The vendor has fixed this issue in version 1.0.8.3.
Potential Impact
An authenticated administrator can access REST API tokens belonging to other administrators, potentially allowing unauthorized actions or access to sensitive administrative functions via those tokens. This compromises confidentiality and integrity of administrative credentials but does not affect availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade to givanz Vvveb version 1.0.8.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor's versioning information.
CVE-2026-46407: CWE-639: Authorization Bypass Through User-Controlled Key in givanz Vvveb
Description
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's admin_id. This can disclose sensitive API tokens belonging to other administrators. This vulnerability is fixed in 1.0.8.3.
CVSS v3.1
Score 8.1high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46407 is an authorization bypass vulnerability in givanz Vvveb CMS before version 1.0.8.3. The issue arises because the admin/auth-token endpoint does not properly restrict access to API tokens, allowing an authenticated administrator to supply another administrator's admin_id and retrieve that user's REST API token list. This leads to unauthorized disclosure of sensitive API tokens. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS 3.1 score of 8.1, indicating high severity. The vendor has fixed this issue in version 1.0.8.3.
Potential Impact
An authenticated administrator can access REST API tokens belonging to other administrators, potentially allowing unauthorized actions or access to sensitive administrative functions via those tokens. This compromises confidentiality and integrity of administrative credentials but does not affect availability. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade to givanz Vvveb version 1.0.8.3 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T21:04:10.932Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a076ec7ec166c07b0830aec
Added to database: 5/15/2026, 7:06:47 PM
Last enriched: 5/23/2026, 6:33:35 AM
Last updated: 6/18/2026, 5:24:51 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.