CVE-2026-1597
Published: 29 January 2026
Summary
CVE-2026-1597 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Bdtask Saleserp. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-1597 is an improper authorization vulnerability in Bdtask SalesERP versions up to 20260116. The issue resides in the processing of the Administrative Endpoint component, where manipulation of the ci_session argument allows unauthorized access. This flaw is classified under CWE-266 and CWE-285, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by an attacker who possesses low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to perform unauthorized actions within the affected SalesERP instance.
No vendor response or patches are available, as the developer was contacted early about the disclosure but did not reply. Proof-of-concept exploits have been publicly disclosed, including on GitHub and a YouTube video, increasing the risk of active exploitation as referenced in VulDB entries.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4955
Vulnerability details
A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The…
more
exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in a public-facing web app (SalesERP admin endpoint) directly enables remote exploitation for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy on the administrative endpoint so that manipulation of ci_session cannot grant unauthorized actions.
Limits the privileges available to any authenticated session, reducing the impact of the improper-authorization flaw to the minimal set needed for SalesERP tasks.
Ensures access-control decisions are made by a trusted reference monitor rather than being bypassed via the vulnerable ci_session argument.