CVE-2026-3762
Published: 08 March 2026
Summary
CVE-2026-3762 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Lerouxyxchire Client Database Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3762 is an improper authorization vulnerability affecting SourceCodester Client Database Management System versions 1.0 and 3.1. The flaw resides in an unknown function within the file /superadmin_delete_manager.php of the Endpoint component, where manipulation of the manager_id argument circumvents authorization controls. Published on 2026-03-08, it is associated with CWEs-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. By manipulating the manager_id parameter, attackers gain unauthorized access to delete or manage endpoints, resulting in low-level impacts to confidentiality, integrity, and availability.
VulDB advisories (ctiid.349740, id.349740, submit.768122) detail the issue and recent submission, while a proof-of-concept exploit is publicly disclosed on GitHub at https://gist.github.com/Adarshh-A/1aae387a3cf4ea05c871ddafc64d0348. The vendor site at https://www.sourcecodester.com/ hosts the affected software, where security practitioners should check for patches or updates.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10265
Vulnerability details
A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate…
more
the attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of improper authorization in a public-facing web application endpoint (/superadmin_delete_manager.php) via parameter manipulation, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the manager_id parameter before allowing delete actions in /superadmin_delete_manager.php.
Requires that the endpoint only permit the minimum privileges needed, blocking unauthenticated manipulation of manager accounts.
Ensures access-control decisions are made and enforced for every request to the affected endpoint rather than relying on absent checks.