CVE-2026-2077
Published: 07 February 2026
Summary
CVE-2026-2077 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in addRole/updateRole/deleteRole directly allows low-priv authenticated users to alter roles/permissions, enabling privilege escalation via the vulnerable Role Management Handler.
NVD Description
A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be…
more
launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2077 is an improper authorization vulnerability (CWE-266, CWE-285) affecting the yeqifu warehouse project up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The issue impacts the addRole, updateRole, and deleteRole functions in the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/RoleController.java, which is part of the Role Management Handler component. Published on 2026-02-07, it has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), rated as Medium severity. The project lacks versioning, so specific affected and fixed releases are unavailable.
The vulnerability enables remote exploitation by attackers with low privileges. An authenticated user (PR:L) can manipulate the affected Role Management Handler functions remotely with low complexity and no user interaction, potentially compromising low levels of confidentiality, integrity, and availability.
Advisories note that the project was informed early via GitHub issue #54 but has not responded or issued patches. The exploit has been publicly disclosed and may be actively used. Relevant references include the yeqifu/warehouse GitHub repository, issue #54 (including comment #3846654129), and VulDB entries at ctiid.344643 and id.344643.
Details
- CWE(s)