CVE-2026-31151

CriticalPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 17.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31151 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kaleris Yard Management Solutions. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates robust identification and authentication for organizational users, directly preventing bypasses in the login mechanism exploited by this CVE.

AC-3 Access Enforcement good match

prevent

Enforces logical access authorizations in accordance with policy, blocking unauthorized resource access resulting from authentication bypass.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and limits actions permitted without identification or authentication, mitigating CWE-288 alternate path bypasses like this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authentication bypass in network-accessible login mechanism of public-facing YMS application directly enables initial access via exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.

Deeper analysisAI

CVE-2026-31151 is a critical authentication bypass vulnerability in the login mechanism of Kaleris Yard Management System (YMS) version 7.2.2.1. Published on April 6, 2026, the flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables attackers to circumvent login verification and gain unauthorized access to the application's resources. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers require no authentication to exploit this issue over the network with minimal effort. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability of the affected resources, potentially allowing full control over the YMS application.

Advisories and further details are available in the referenced sources, including a GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 documenting the CVE and the Kaleris product page at https://kaleris.com/solutions/yard-management/. Practitioners should consult these for mitigation guidance and patch information specific to Kaleris YMS deployments.