CVE-2026-31271
Published: 07 April 2026
Summary
CVE-2026-31271 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to the /user/insert endpoint, directly preventing unauthenticated attackers from creating super administrator accounts.
Requires identification and authentication of organizational users before allowing access to sensitive functions like user insertion, addressing the missing authentication checks in UserController.java.
Manages account provisioning and creation processes to ensure only authorized entities can create accounts, mitigating unauthorized super administrator account creation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing web application endpoint (/user/insert), allowing unauthenticated attackers to create super administrator accounts, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system…
more
compromise.
Deeper analysisAI
CVE-2026-31271 is an authorization bypass vulnerability affecting megagao production_ssm version 1.0. The flaw resides in the user addition functionality, specifically the insert() method within UserController.java, which lacks proper authentication checks. This allows attackers to interact with the vulnerable component without verifying user privileges, as documented under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability by directly accessing the /user/insert endpoint. By sending crafted requests to this endpoint, they can create super administrator accounts, granting full control over the system. Successful exploitation leads to complete system compromise, enabling arbitrary administrative actions such as data manipulation, privilege escalation, or further persistence.
The advisory detailing this issue is available at https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md, which documents the unauthorized access mechanism but does not specify patches or mitigations in the provided references. Security practitioners should review the source code for affected deployments and implement access controls on the /user/insert endpoint, such as requiring authentication tokens or IP whitelisting, pending official vendor guidance.
Details
- CWE(s)