Cyber Resilience

CVE-2026-31151

CriticalPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 29.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31151 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Kaleris Yard Management Solutions. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-31151 is a critical authentication bypass vulnerability in the login mechanism of Kaleris Yard Management System (YMS) version 7.2.2.1. Published on April 6, 2026, the flaw, classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables attackers to circumvent login verification and gain unauthorized access to the application's resources. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers require no authentication to exploit this issue over the network with minimal effort. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability of the affected resources, potentially allowing full control over the YMS application.

Advisories and further details are available in the referenced sources, including a GitHub repository at https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 documenting the CVE and the Kaleris product page at https://kaleris.com/solutions/yard-management/. Practitioners should consult these for mitigation guidance and patch information specific to Kaleris YMS deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in network-accessible login mechanism of public-facing YMS application directly enables initial access via exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288
CVE-2026-2628Shared CWE-288
CVE-2025-64121Shared CWE-288
CVE-2026-22733Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2025-50904Shared CWE-288
CVE-2025-24846Shared CWE-288
CVE-2026-25002Shared CWE-288

Affected Assets

kaleris
yard management solutions
7.2.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates robust identification and authentication for organizational users, directly preventing bypasses in the login mechanism exploited by this CVE.

prevent

Enforces logical access authorizations in accordance with policy, blocking unauthorized resource access resulting from authentication bypass.

prevent

Explicitly identifies and limits actions permitted without identification or authentication, mitigating CWE-288 alternate path bypasses like this vulnerability.

References