Cyber Resilience

CVE-2026-2107

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2107 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Yeqifu Warehouse. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2107 is an improper authorization vulnerability in the yeqifu warehouse project, affecting the Log Info Handler component. The issue resides in the functions loadAllLoginfo, deleteLoginfo, and batchDeleteLoginfo within the file dataset/repos/warehouse/src/main/java/com/yeqifu/sys/controller/LoginfoController.java, up to commit aaf29962ba407d22d991781de28796ee7b4670e4. The project does not use versioning, making it impossible to specify affected and unaffected releases.

The vulnerability enables remote exploitation by an attacker possessing low privileges (PR:L), with low attack complexity (AC:L) and no user interaction required. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), resulting in limited impacts to confidentiality, integrity, and availability. Associated CWEs include CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization).

Advisories note that the project was informed early via GitHub issue #59 but has not responded, with no patches or mitigations released to date. An exploit is publicly available and could be used. Relevant references include the repository at https://github.com/yeqifu/warehouse/, issue details at https://github.com/yeqifu/warehouse/issues/59 and https://github.com/yeqifu/warehouse/issues/59#issue-3846665806, and VulDB entries at https://vuldb.com/?ctiid.344683 and https://vuldb.com/?id.344683.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\LoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has…

more

been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070 Indicator Removal Stealth
Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity.
Why these techniques?

Improper authorization in public-facing Java web app controller enables remote unauthorized log access/deletion (T1190 exploitation + T1070 indicator removal via deleteLoginfo functions).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2105Same product: Yeqifu Warehouse
CVE-2026-2078Same product: Yeqifu Warehouse
CVE-2026-2076Same product: Yeqifu Warehouse
CVE-2026-0574Same product: Yeqifu Warehouse
CVE-2026-2077Same product: Yeqifu Warehouse
CVE-2026-2106Same product: Yeqifu Warehouse
CVE-2026-2079Same product: Yeqifu Warehouse
CVE-2026-2075Same product: Yeqifu Warehouse
CVE-2025-15432Same vendor: Yeqifu
CVE-2025-65879Same vendor: Yeqifu

Affected Assets

yeqifu
warehouse
≤ 2025-10-06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo before permitting access, blocking the improper authorization flaw.

prevent

Requires least-privilege assignment so low-privilege users cannot reach the Log Info Handler functions that the CVE exposes.

prevent

Ensures access-control decisions are made and enforced at runtime for the affected controller methods rather than being absent.

References