CVE-2026-4617
Published: 24 March 2026
Summary
CVE-2026-4617 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the improper authorization flaw in the ValidateToken function.
Requires identification, reporting, and correction of flaws like the improper authorization vulnerability in /php/api_patient_checkin.php.
Limits access to only authorized privileges necessary for tasks, reducing the impact of unauthorized access via the flawed token validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploit of improper authorization in a public-facing web API endpoint (ValidateToken in /php/api_patient_checkin.php) directly enables initial access via exploitation of a public-facing application.
NVD Description
A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It…
more
is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-4617 is an improper authorization vulnerability (CWE-266, CWE-285) in the SourceCodester Patients Waiting Area Queue Management System 1.0. The issue resides in the ValidateToken function within the file /php/api_patient_checkin.php of the Patient Check-In Module. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-24T01:17:02.587.
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. Manipulation of the ValidateToken function enables improper authorization, resulting in low-level impacts to confidentiality, integrity, and availability.
Advisories are documented on VulDB at https://vuldb.com/?ctiid.352481, https://vuldb.com/?id.352481, and https://vuldb.com/?submit.775747, with a public exploit available at https://gist.github.com/HxH404/0ab53ccba44456b5400a5908414f5ab1. The vendor site is reachable at https://www.sourcecodester.com/. The exploit has been made publicly available and could be used for attacks.
Details
- CWE(s)