CVE-2026-3053
Published: 24 February 2026
Summary
CVE-2026-3053 is a high-severity Improper Authentication (CWE-287) vulnerability in Dinky Dinky. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly addressing the missing authentication enforcement on the OpenAPI endpoint.
Requires unique identification and authentication for non-organizational users, preventing remote attackers from bypassing authentication on the vulnerable endpoint.
Explicitly identifies and limits user actions permitted without identification or authentication, ensuring critical OpenAPI functions require authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing OpenAPI endpoint due to missing authentication, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely.…
more
The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3053 is a vulnerability in DataLinkDC dinky versions up to 1.2.5, affecting the addInterceptors function in the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java within the OpenAPI Endpoint component. The flaw enables missing authentication through manipulation, as classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). It was published on 2026-02-24 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction and face low attack complexity to exploit the issue over the network. Successful exploitation bypasses authentication on the OpenAPI Endpoint, granting unauthorized access with low impacts on confidentiality, integrity, and availability.
Advisories on VulDB and GitHub (AnalogyC0de/public_exp issues #6 and #3935019636) publicly disclose a working exploit that may be utilized. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available.
Details
- CWE(s)