Cyber Resilience

CVE-2026-2106

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2106 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2106 is an improper authorization vulnerability affecting the yeqifu warehouse project up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The issue resides in the Notice Management component, specifically within the addNotice, updateNotice, deleteNotice, and batchDeleteNotice functions of the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/NoticeController.java. This flaw, classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-07.

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction. Successful exploitation allows manipulation leading to unauthorized actions on notices, resulting in low impacts to confidentiality, integrity, and availability.

Advisories from VulDB (ctiid.344682 and id.344682) and GitHub issue #58 detail the flaw, noting that the project was informed early via an issue report but has not responded. The project uses continuous delivery with rolling releases, so no specific affected or patched versions are available; practitioners should monitor the repository at https://github.com/yeqifu/warehouse/ for updates.

The exploit has been publicly disclosed and may be used, though no evidence of active real-world exploitation is reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\NoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The…

more

exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Improper authorization (CWE-285/266) in authenticated notice management functions directly enables an authenticated low-privileged user to perform unauthorized actions, mapping to exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0574Same product: Yeqifu Warehouse
CVE-2026-2077Same product: Yeqifu Warehouse
CVE-2026-2079Same product: Yeqifu Warehouse
CVE-2026-2078Same product: Yeqifu Warehouse
CVE-2026-2076Same product: Yeqifu Warehouse
CVE-2026-2105Same product: Yeqifu Warehouse
CVE-2026-2107Same product: Yeqifu Warehouse
CVE-2026-2075Same product: Yeqifu Warehouse
CVE-2025-2589Shared CWE-266, CWE-285
CVE-2017-20238Shared CWE-285

Affected Assets

yeqifu
warehouse
≤ 2025-10-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on addNotice/updateNotice/deleteNotice/batchDeleteNotice before permitting actions.

prevent

Restricts the low-privilege accounts that can reach the NoticeController functions, limiting exploit impact.

prevent

Requires explicit access-control decisions to be made and enforced for each notice-management operation.

References