CVE-2026-5326 is an authorization bypass vulnerability found in SourceCodester Leave Application System version 1.0. The flaw exists in the User Information Handler component, specifically within the /index.php?page=manage_user endpoint. By manipulating the 'ID' parameter in the HTTP request, an attacker can bypass authorization checks that normally restrict access to user management functions. This bypass allows an unauthenticated remote attacker to access or modify user information without proper permissions. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact primarily affects confidentiality due to unauthorized access to user data, with limited integrity or availability impact. No patches are currently linked, and no known exploits are reported in the wild, but a public exploit is available, increasing the risk of exploitation. This vulnerability highlights a critical weakness in access control mechanisms within the affected software, which is commonly used for leave and user management in organizational HR systems.

The primary impact of CVE-2026-5326 is unauthorized access to user management functions within the SourceCodester Leave Application System. This can lead to exposure of sensitive user information, unauthorized modification of user data, or potential privilege escalation if administrative functions are accessible. Organizations relying on this system for HR or leave management may face data breaches, privacy violations, and internal security policy violations. The vulnerability’s remote exploitability without authentication increases the risk of automated attacks or exploitation by external threat actors. While the vulnerability does not directly impact system availability or integrity broadly, unauthorized access to user data can undermine trust and compliance with data protection regulations. The presence of a public exploit further elevates the risk of exploitation, especially in environments where the system is internet-facing or insufficiently segmented. Organizations may also face reputational damage and regulatory penalties if sensitive employee data is compromised.

To mitigate CVE-2026-5326, organizations should first verify if they are running SourceCodester Leave Application System version 1.0 and restrict access to the /index.php?page=manage_user endpoint through network segmentation and firewall rules, limiting access to trusted internal IPs only. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the 'ID' parameter. Since no official patch is currently available, consider applying virtual patching techniques or modifying source code to enforce strict authorization checks on the 'ID' parameter before granting access. Conduct thorough access control reviews and audits of user management functions to ensure proper role-based access control (RBAC) is enforced. Monitor logs for unusual access patterns to the affected endpoint and deploy intrusion detection systems (IDS) to alert on potential exploitation attempts. Educate internal teams about the vulnerability and restrict administrative privileges to minimize potential damage. Plan for an upgrade or patch deployment once an official fix is released by the vendor.