CVE-2026-3263
Published: 26 February 2026
Summary
CVE-2026-3263 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Go2Ismail Asp.Net-Core-Inventory-Order-Management-System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3263 is an improper authorization vulnerability (CWE-266, CWE-285) affecting the go2ismail Asp.Net-Core-Inventory-Order-Management-System up to version 9.20250118. The issue resides in an unknown functionality of the /api/Security/ endpoint within the Security API component. It has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-02-26.
The vulnerability enables remote exploitation by an attacker possessing low privileges over the network with low complexity and no user interaction required. Successful manipulation leads to limited impacts on confidentiality, integrity, and availability, stemming from the improper authorization mechanism.
Advisories on VulDB (ctiid.347986, id.347986, submit.758335) and a GitHub repository (Ghufran2/CVE-Asp.Net-Core-Inventory-Order-Management-System-Advisories) document the flaw, with the GitHub entry describing it as an IDOR leading to full system compromise. The vendor was notified early but provided no response, and no patches or specific mitigations are available.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8904
Vulnerability details
A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the component Security API. Performing a manipulation results in improper authorization. Remote exploitation of the attack is…
more
possible. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization/IDOR in public-facing web API enables exploitation of internet-facing app for initial access (T1190) and direct privilege escalation to full compromise (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the /api/Security/ endpoint, blocking the improper authorization (CWE-285) that enables the IDOR-style access.
Limits privileges to the minimum required, preventing low-privilege accounts from reaching or manipulating unauthorized Security API functionality.
Ensures access control decisions are enforced at the point of the vulnerable endpoint rather than relying on absent or bypassed authorization logic.