CVE-2026-1203
Published: 20 January 2026
Summary
CVE-2026-1203 is a medium-severity Improper Authentication (CWE-287) vulnerability in Crmeb Crmeb. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2026-1203 is an improper authentication vulnerability (CWE-287) affecting CRMEB versions up to 5.6.3. The issue resides in the remoteRegister function within the file crmeb/app/services/user/LoginServices.php, part of the JSON Token Handler component. By manipulating the uid argument, attackers can bypass authentication mechanisms.
Remote attackers with no required privileges (PR:N) can exploit this vulnerability over the network (AV:N), though it demands high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation grants low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), enabling improper authentication as targeted users.
Advisories from VulDB (ctiid.341789, id.341789, submit.735349) detail the issue, while a GitHub repository (foeCat/CVE) provides a public proof-of-concept exploit demonstrating the JWT authentication bypass via remoteRegister. The vendor was notified early but has not responded or issued patches, leaving affected systems reliant on manual mitigation or upgrades beyond version 5.6.3.
The exploit is publicly available and could be used in attacks, with exploitability rated as difficult due to its complexity. Published on 2026-01-20, no real-world exploitation has been reported in the available data.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3485
Vulnerability details
A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The…
more
attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote JWT authentication bypass in a public-facing web application (remoteRegister/LoginServices), directly enabling exploitation of public-facing apps for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication decisions before allowing access via the remoteRegister function, blocking uid manipulation that bypasses JWT validation.
Requires unique identification and authentication of users before granting access, directly mitigating the improper authentication flaw in the JSON Token Handler.
Protects session authenticity for JWT tokens, reducing the ability to exploit uid manipulation in remoteRegister to impersonate users.