Cyber Resilience

CVE-2026-23843

High

Published: 19 January 2026

Published
19 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0005 16.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23843 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes).

Deeper analysis

CVE-2026-23843 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the offer view functionality in teklifolustur_app, a web-based PHP application for creating, managing, and tracking client quotes. The flaw exists prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c due to missing authorization checks that verify whether a requested offer belongs to the currently authenticated user. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low privileges required.

Authenticated users can exploit this vulnerability over the network with low complexity by manipulating the offer_id parameter in requests to the offer view endpoint, thereby accessing offers created by other users. Successful exploitation allows unauthorized viewing of sensitive quote data, potentially exposing client details, pricing information, or other confidential business data without impacting availability.

Mitigation is provided in commit dd082a134a225b8dcd401b6224eead4fb183ea1c of the teklifolustur_app repository, which adds the necessary authorization checks. Additional details are available in the GitHub security advisory at GHSA-6h9r-mmg3-cg7m. Security practitioners should ensure deployments are updated to or beyond this commit to prevent exploitation.

EU & UK References

Vulnerability details

teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the…

more

offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

IDOR in a network-accessible web app directly enables exploitation of the public-facing application to access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-43890Shared CWE-639
CVE-2026-25563Shared CWE-639
CVE-2024-8261Shared CWE-639
CVE-2026-3321Shared CWE-639

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the offer_id parameter to ensure the requested offer belongs to the authenticated user, blocking the IDOR access.

prevent

Limits each user's privileges so they cannot retrieve or view offer objects outside their own account even if the parameter is manipulated.

prevent

Requires binding and enforcing security attributes (e.g., owner identity) on offer objects before permitting access, addressing the missing ownership verification.

References