Cyber Resilience

CVE-2026-1203

MediumPublic PoC

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0070 48.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1203 is a medium-severity Improper Authentication (CWE-287) vulnerability in Crmeb Crmeb. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-1203 is an improper authentication vulnerability (CWE-287) affecting CRMEB versions up to 5.6.3. The issue resides in the remoteRegister function within the file crmeb/app/services/user/LoginServices.php, part of the JSON Token Handler component. By manipulating the uid argument, attackers can bypass authentication mechanisms.

Remote attackers with no required privileges (PR:N) can exploit this vulnerability over the network (AV:N), though it demands high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation grants low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), enabling improper authentication as targeted users.

Advisories from VulDB (ctiid.341789, id.341789, submit.735349) detail the issue, while a GitHub repository (foeCat/CVE) provides a public proof-of-concept exploit demonstrating the JWT authentication bypass via remoteRegister. The vendor was notified early but has not responded or issued patches, leaving affected systems reliant on manual mitigation or upgrades beyond version 5.6.3.

The exploit is publicly available and could be used in attacks, with exploitability rated as difficult due to its complexity. Published on 2026-01-20, no real-world exploitation has been reported in the available data.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The…

more

attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remote JWT authentication bypass in a public-facing web application (remoteRegister/LoginServices), directly enabling exploitation of public-facing apps for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1202Same product: Crmeb Crmeb
CVE-2025-25763Same product: Crmeb Crmeb
CVE-2025-15442Same product: Crmeb Crmeb
CVE-2025-15443Same product: Crmeb Crmeb
CVE-2025-10390Same product: Crmeb Crmeb
CVE-2025-10389Same product: Crmeb Crmeb
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287

Affected Assets

crmeb
crmeb
≤ 5.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication decisions before allowing access via the remoteRegister function, blocking uid manipulation that bypasses JWT validation.

prevent

Requires unique identification and authentication of users before granting access, directly mitigating the improper authentication flaw in the JSON Token Handler.

prevent

Protects session authenticity for JWT tokens, reducing the ability to exploit uid manipulation in remoteRegister to impersonate users.

References