CVE-2026-2107
Published: 07 February 2026
Summary
CVE-2026-2107 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in public-facing Java web app controller enables remote unauthorized log access/deletion (T1190 exploitation + T1070 indicator removal via deleteLoginfo functions).
NVD Description
A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has…
more
been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2107 is an improper authorization vulnerability in the yeqifu warehouse project, affecting the Log Info Handler component. The issue resides in the functions loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo within the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/LoginfoController.java, up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The project does not use versioning, making it impossible to specify affected and unaffected releases.
The vulnerability enables remote exploitation by an attacker possessing low privileges (PR:L), with low attack complexity (AC:L) and no user interaction required. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), resulting in limited impacts to confidentiality, integrity, and availability. Associated CWEs include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).
Advisories note that the project was informed early via GitHub issue #59 but has not responded, with no patches or mitigations released to date. An exploit is publicly available and could be used. Relevant references include the repository at https://github.com/yeqifu/warehouse/, issue details at https://github.com/yeqifu/warehouse/issues/59 and https://github.com/yeqifu/warehouse/issues/59#issue-3846665806, and VulDB entries at https://vuldb.com/?ctiid.344683 and https://vuldb.com/?id.344683.
Details
- CWE(s)