CVE-2026-1203
Published: 20 January 2026
Summary
CVE-2026-1203 is a medium-severity Improper Authentication (CWE-287) vulnerability in Crmeb Crmeb. Its CVSS base score is 5.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.
Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.
Session content review can reveal authentication bypasses or failures in session establishment.
Review of authentication-related audit records can detect improper authentication mechanisms or bypasses.
Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote JWT authentication bypass in a public-facing web application (remoteRegister/LoginServices), directly enabling exploitation of public-facing apps for unauthorized access.
NVD Description
A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The…
more
attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-1203 is an improper authentication vulnerability (CWE-287) affecting CRMEB versions up to 5.6.3. The issue resides in the remoteRegister function within the file crmeb/app/services/user/LoginServices.php, part of the JSON Token Handler component. By manipulating the uid argument, attackers can bypass authentication mechanisms.
Remote attackers with no required privileges (PR:N) can exploit this vulnerability over the network (AV:N), though it demands high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation grants low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), enabling improper authentication as targeted users.
Advisories from VulDB (ctiid.341789, id.341789, submit.735349) detail the issue, while a GitHub repository (foeCat/CVE) provides a public proof-of-concept exploit demonstrating the JWT authentication bypass via remoteRegister. The vendor was notified early but has not responded or issued patches, leaving affected systems reliant on manual mitigation or upgrades beyond version 5.6.3.
The exploit is publicly available and could be used in attacks, with exploitability rated as difficult due to its complexity. Published on 2026-01-20, no real-world exploitation has been reported in the available data.
Details
- CWE(s)