Cyber Resilience

CVE-2026-2079

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 17.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2079 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2026-2079 is an improper authorization vulnerability in the yeqifu warehouse project, affecting the Menu Management component up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The flaw resides in the addMenu, updateMenu, and deleteMenu functions within the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/MenuController.java. It is associated with CWEs-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), with a CVSS v3.1 base score of 6.3.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) in an unchanged scope (S:U). The manipulation leads to improper authorization, allowing unauthorized actions on menu management functions.

Advisories from VulDB indicate the project was informed early via GitHub issue #56 but has not responded, with no patches available. The project uses a rolling release model, providing no specific version details for affected or updated releases. An exploit has been published and may be used, as documented in the referenced GitHub repository and issues.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely.…

more

The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Improper authorization (CWE-285/266) in menu functions enables low-privileged remote attackers to execute unauthorized add/update/delete actions, directly mapping to exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0574Same product: Yeqifu Warehouse
CVE-2026-2077Same product: Yeqifu Warehouse
CVE-2026-2106Same product: Yeqifu Warehouse
CVE-2026-2078Same product: Yeqifu Warehouse
CVE-2026-2076Same product: Yeqifu Warehouse
CVE-2026-2105Same product: Yeqifu Warehouse
CVE-2026-2107Same product: Yeqifu Warehouse
CVE-2026-2075Same product: Yeqifu Warehouse
CVE-2025-2589Shared CWE-266, CWE-285
CVE-2017-20238Shared CWE-285

Affected Assets

yeqifu
warehouse
≤ 2025-10-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the addMenu/updateMenu/deleteMenu functions so that low-privilege users cannot perform unauthorized menu operations.

prevent

Ensures users are granted only the minimum privileges required, limiting the ability of an authenticated attacker to reach the vulnerable menu-management functions.

prevent

Requires explicit, policy-driven access-control decisions before permitting actions on MenuController endpoints, addressing the missing authorization logic.

References