Cyber Resilience

CVE-2026-2078

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2078 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2078 is an improper authorization vulnerability (CWE-266, CWE-285) in the yeqifu warehouse project, affecting its Permission Management component. The issue resides in the addPermission, updatePermission, and deletePermission functions within the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/PermissionController.java. It impacts versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4.

The vulnerability enables remote exploitation by an authenticated attacker with low privileges. Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attacks require low complexity and no user interaction, allowing limited impacts on confidentiality, integrity, and availability through unauthorized permission manipulations.

The project uses a rolling release model, providing no specific version details for affected or updated releases. It was informed early via GitHub issue #55 but has not responded. An exploit is public and may be used, with details available in the repository at https://github.com/yeqifu/warehouse/, issue tracker entries, and VulDB at https://vuldb.com/?ctiid.344644 and https://vuldb.com/?id.344644.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is…

more

now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization in permission management functions directly enables remote authenticated attackers to manipulate privileges (T1068) on a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2105Same product: Yeqifu Warehouse
CVE-2026-0574Same product: Yeqifu Warehouse
CVE-2026-2077Same product: Yeqifu Warehouse
CVE-2026-2106Same product: Yeqifu Warehouse
CVE-2026-2079Same product: Yeqifu Warehouse
CVE-2026-2075Same product: Yeqifu Warehouse
CVE-2026-2107Same product: Yeqifu Warehouse
CVE-2026-2076Same product: Yeqifu Warehouse
CVE-2026-2109Shared CWE-266, CWE-285
CVE-2026-3263Shared CWE-266, CWE-285

Affected Assets

yeqifu
warehouse
≤ 2025-10-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations on the addPermission/updatePermission/deletePermission functions, blocking the unauthorized permission manipulations described in the CVE.

prevent

Restricts users to the minimum privileges required, preventing low-privilege authenticated attackers from reaching or abusing the vulnerable permission-management endpoints.

prevent

Ensures access-control decisions are made and enforced at runtime for each permission change request, mitigating the missing authorization checks in PermissionController.java.

References