Cyber Resilience

CVE-2026-2174

Medium

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2174 is a medium-severity Improper Authentication (CWE-287) vulnerability in Fabian Contact Management System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-2174 is an improper authentication vulnerability (CWE-287) in code-projects Contact Management System 1.0, affecting an unknown part of the CRUD Endpoint component. The issue arises from manipulation of the ID argument, enabling remote attacks. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-08T19:16:21.597.

The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required and no user interaction needed, due to low attack complexity and network accessibility. Successful exploitation allows limited impacts, including low-level disruption to confidentiality, integrity, and availability.

Advisories and further details are available from VulDB at https://vuldb.com/?ctiid.344875, https://vuldb.com/?id.344875, and https://vuldb.com/?submit.749262, as well as the project site at https://code-projects.org/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authentication (CWE-287) in public-facing CRUD endpoint of web app allows unauthenticated remote exploitation via ID manipulation, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2176Same product: Fabian Contact Management System
CVE-2026-0589Same vendor: Fabian
CVE-2026-1443Same vendor: Fabian
CVE-2026-0606Same vendor: Fabian
CVE-2026-2166Same vendor: Fabian
CVE-2026-0575Same vendor: Fabian
CVE-2025-69564Same vendor: Fabian
CVE-2026-0570Same vendor: Fabian
CVE-2026-2173Same vendor: Fabian
CVE-2025-69563Same vendor: Fabian

Affected Assets

fabian
contact management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization decisions on the CRUD endpoint before permitting ID-based operations.

prevent

Requires identification and authentication of non-organizational users before allowing remote access to the contact management functions.

AC-17 Remote Access partial match
prevent

Establishes controls and authentication requirements for all remote access to the vulnerable endpoint.

References