CVE-2026-1023
Published: 16 January 2026
Summary
CVE-2026-1023 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Gotac Statistics Database System. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-1023, published on 2026-01-16, is a Missing Authentication vulnerability (CWE-306) affecting the Statistics Database System developed by Gotac. The flaw enables unauthenticated remote attackers to directly exploit a specific functionality to query database contents. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no effects on integrity or availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. Exploitation allows them to access and retrieve database contents without authentication, potentially exposing sensitive information stored within the system.
Advisories from TWCERT/CC detail mitigation steps and are available at https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html and https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2971
Vulnerability details
Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on a public-facing database query interface directly enables remote exploitation for initial access and data retrieval (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly identifies, authorizes, and limits actions performable without identification or authentication, preventing unauthenticated access to the vulnerable database query functionality.
Requires identification and authentication for non-organizational users, blocking unauthenticated remote attackers from querying database contents.
Enforces approved authorizations for logical access to system resources, ensuring authentication is required for the exploitable database functionality.