CVE-2026-1597
Published: 29 January 2026
Summary
CVE-2026-1597 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Bdtask Saleserp. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in a public-facing web app (SalesERP admin endpoint) directly enables remote exploitation for unauthorized access.
NVD Description
A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The…
more
exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-1597 is an improper authorization vulnerability in Bdtask SalesERP versions up to 20260116. The issue resides in the processing of the Administrative Endpoint component, where manipulation of the ci_session argument allows unauthorized access. This flaw is classified under CWE-266 and CWE-285, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by an attacker who possesses low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to perform unauthorized actions within the affected SalesERP instance.
No vendor response or patches are available, as the developer was contacted early about the disclosure but did not reply. Proof-of-concept exploits have been publicly disclosed, including on GitHub and a YouTube video, increasing the risk of active exploitation as referenced in VulDB entries.
Details
- CWE(s)