CVE-2026-4201
Published: 16 March 2026
Summary
CVE-2026-4201 is a high-severity Improper Access Control (CWE-284) vulnerability in Feishu (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely correction of the unrestricted file upload flaw in SysFileController.java.
Prevents exploitation of unrestricted uploads by validating file types, extensions, and contents to block dangerous files.
Addresses CWE-284 improper access control by enforcing approved authorizations on the Upload function to restrict remote unauthenticated access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in a public-facing web app directly enables remote exploitation without auth (T1190), deployment of web shells for persistence/execution (T1505.003), and ingress of malicious tools/files (T1105).
NVD Description
A weakness has been identified in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made…
more
available to the public and could be used for attacks. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4201 is an unrestricted file upload vulnerability in the glowxq glowxq-oj application, affecting versions up to the commit hash 6f7c723090472057252040fd2bbbdaa1b5ed2393. The issue resides in the Upload function within the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. This flaw, linked to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-16.
Remote attackers can exploit this vulnerability without authentication or user interaction by manipulating the Upload function, enabling unrestricted file uploads. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing attackers to upload malicious files that could lead to further system compromise.
Advisories from VulDB indicate that an exploit is publicly available and the vendor was contacted early but provided no response. The product lacks versioning, so no specific affected or patched releases are identified, and no mitigation or patch details are available in the referenced sources, including the Feishu document and VulDB entries.
Notable context includes the public availability of the exploit, increasing the risk of attacks against exposed instances, with no reported real-world exploitation or AI/ML relevance.
Details
- CWE(s)