CVE-2026-30689
Published: 27 March 2026
Summary
CVE-2026-30689 is a high-severity Improper Access Control (CWE-284) vulnerability in Anjoy8 Blog.Admin. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-30689 is an improper access control vulnerability in the getinfobytoken API interface of blog.admin versions 8.0 and earlier. This flaw allows sensitive data exposure, enabling unauthorized parties to obtain sensitive administrator account information through a valid token, thereby threatening overall system security. The vulnerability is classified under CWE-284 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no privileges required.
A remote attacker with no authentication can exploit this vulnerability over the network with low complexity and no user interaction. By sending a request to the affected API endpoint using a valid token, the attacker can retrieve sensitive administrator account details, potentially facilitating further attacks such as account takeover or privilege escalation.
Advisories and additional details are available in the provided references, including the vendor site at http://blagadmin.com, a GitHub Gist at https://gist.github.com/Sw3092567023/c420c6a5ee947d72aeab2b3e0ba92a40, and the related Blog.Core repository at https://github.com/anjoy8/Blog.Core, which may cover patches or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16604
Vulnerability details
A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access control which leads to sensitive data exposure. Unauthorized parties can obtain sensitive administrator account information via a valid token, threatening system security.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in public-facing getinfobytoken API allows remote unauthenticated exploitation to disclose sensitive admin account data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for access to sensitive administrator information, directly addressing the improper access control in the getinfobytoken API.
Ensures access control decisions for system resources like the API endpoint properly authorize requests based on valid tokens and privileges, preventing unauthorized exposure of admin data.
Monitors for unauthorized disclosures of sensitive information such as administrator account details leaked via the vulnerable API interface.