Cyber Resilience

CVE-2026-3053

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0067 47.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3053 is a medium-severity Improper Authentication (CWE-287) vulnerability in Dinky Dinky. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-3053 is a vulnerability in DataLinkDC dinky versions up to 1.2.5, affecting the addInterceptors function in the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java within the OpenAPI Endpoint component. The flaw enables missing authentication through manipulation, as classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). It was published on 2026-02-24 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction and face low attack complexity to exploit the issue over the network. Successful exploitation bypasses authentication on the OpenAPI Endpoint, granting unauthorized access with low impacts on confidentiality, integrity, and availability.

Advisories on VulDB and GitHub (AnalogyC0de/public_exp issues #6 and #3935019636) publicly disclose a working exploit that may be utilized. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely.…

more

The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote exploitation of a public-facing OpenAPI endpoint due to missing authentication, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3052Same product: Dinky Dinky
CVE-2026-3051Same product: Dinky Dinky
CVE-2026-4959Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-3192Shared CWE-287, CWE-306
CVE-2025-11529Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-40344Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306

Affected Assets

dinky
dinky
≤ 1.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly addressing the missing authentication enforcement on the OpenAPI endpoint.

prevent

Requires unique identification and authentication for non-organizational users, preventing remote attackers from bypassing authentication on the vulnerable endpoint.

prevent

Explicitly identifies and limits user actions permitted without identification or authentication, ensuring critical OpenAPI functions require authentication.

References