CVE-2026-22788
Published: 12 January 2026
Summary
CVE-2026-22788 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wem-Project Wem. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly requires defining and restricting actions permitted without identification or authentication, directly preventing exposure of sensitive API endpoints to unauthenticated attackers.
AC-3 mandates enforcement of approved authorizations for access to system resources, ensuring authentication middleware blocks unauthorized reads and writes on critical APIs.
IA-2 requires identification and authentication of users before accessing system resources, directly mitigating unauthenticated access to business-critical data and manipulation functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability involves missing authentication on sensitive API endpoints in a public-facing web application, enabling unauthenticated remote exploitation for data access and limited manipulation, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and…
more
whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19.
Deeper analysisAI
CVE-2026-22788 affects WebErpMesv2, an open-source web-based Resource Management and Manufacturing Execution System designed for industrial use. In versions prior to 1.19, the application exposes multiple sensitive API endpoints without authentication middleware, violating CWE-306 (Missing Authentication for Critical Function). This flaw, assigned a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), enables unauthorized access to critical business data and limited manipulation capabilities.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. Successful exploitation allows reading of sensitive business-critical information, such as companies, quotes, orders, tasks, and whiteboards. Additionally, attackers gain limited write access to create new company records and fully manipulate collaboration whiteboards, potentially disrupting operations or enabling further persistence.
The GitHub security advisory (GHSA-pp68-5pc2-hv7w) and associated commit (3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23) confirm the issue is resolved in WebErpMesv2 version 1.19, which introduces proper authentication middleware for the affected endpoints. Security practitioners should upgrade to 1.19 or later and review API access configurations.
Details
- CWE(s)