Cyber Resilience

CVE-2026-1597

MediumPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1597 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Bdtask Saleserp. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-1597 is an improper authorization vulnerability in Bdtask SalesERP versions up to 20260116. The issue resides in the processing of the Administrative Endpoint component, where manipulation of the ci_session argument allows unauthorized access. This flaw is classified under CWE-266 and CWE-285, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker who possesses low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to perform unauthorized actions within the affected SalesERP instance.

No vendor response or patches are available, as the developer was contacted early about the disclosure but did not reply. Proof-of-concept exploits have been publicly disclosed, including on GitHub and a YouTube video, increasing the risk of active exploitation as referenced in VulDB entries.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The…

more

exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization in a public-facing web app (SalesERP admin endpoint) directly enables remote exploitation for unauthorized access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25505Same vendor: Bdtask
CVE-2026-3762Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2026-2896Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285
CVE-2025-2360Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-7505Shared CWE-266, CWE-285
CVE-2026-1112Shared CWE-266, CWE-285
CVE-2026-4617Shared CWE-266, CWE-285

Affected Assets

bdtask
saleserp
2026-01-16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy on the administrative endpoint so that manipulation of ci_session cannot grant unauthorized actions.

prevent

Limits the privileges available to any authenticated session, reducing the impact of the improper-authorization flaw to the minimal set needed for SalesERP tasks.

prevent

Ensures access-control decisions are made by a trusted reference monitor rather than being bypassed via the vulnerable ci_session argument.

References