CVE-2026-2079
Published: 07 February 2026
Summary
CVE-2026-2079 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization (CWE-285/266) in menu functions enables low-privileged remote attackers to execute unauthorized add/update/delete actions, directly mapping to exploitation for privilege escalation.
NVD Description
A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\MenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely.…
more
The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2079 is an improper authorization vulnerability in the yeqifu warehouse project, affecting the Menu Management component up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The flaw resides in the addMenu, updateMenu, and deleteMenu functions within the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/MenuController.java. It is associated with CWEs-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), with a CVSS v3.1 base score of 6.3.
An attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) in an unchanged scope (S:U). The manipulation leads to improper authorization, allowing unauthorized actions on menu management functions.
Advisories from VulDB indicate the project was informed early via GitHub issue #56 but has not responded, with no patches available. The project uses a rolling release model, providing no specific version details for affected or updated releases. An exploit has been published and may be used, as documented in the referenced GitHub repository and issues.
Details
- CWE(s)