CVE-2026-23843
Published: 19 January 2026
Summary
CVE-2026-23843 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes).
Deeper analysis
CVE-2026-23843 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting the offer view functionality in teklifolustur_app, a web-based PHP application for creating, managing, and tracking client quotes. The flaw exists prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c due to missing authorization checks that verify whether a requested offer belongs to the currently authenticated user. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low privileges required.
Authenticated users can exploit this vulnerability over the network with low complexity by manipulating the offer_id parameter in requests to the offer view endpoint, thereby accessing offers created by other users. Successful exploitation allows unauthorized viewing of sensitive quote data, potentially exposing client details, pricing information, or other confidential business data without impacting availability.
Mitigation is provided in commit dd082a134a225b8dcd401b6224eead4fb183ea1c of the teklifolustur_app repository, which adds the necessary authorization checks. Additional details are available in the GitHub security advisory at GHSA-6h9r-mmg3-cg7m. Security practitioners should ensure deployments are updated to or beyond this commit to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3298
Vulnerability details
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the…
more
offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in a network-accessible web app directly enables exploitation of the public-facing application to access unauthorized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the offer_id parameter to ensure the requested offer belongs to the authenticated user, blocking the IDOR access.
Limits each user's privileges so they cannot retrieve or view offer objects outside their own account even if the parameter is manipulated.
Requires binding and enforcing security attributes (e.g., owner identity) on offer objects before permitting access, addressing the missing ownership verification.