Cyber Resilience

CVE-2026-4617

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4617 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4617 is an improper authorization vulnerability (CWE-266, CWE-285) in the SourceCodester Patients Waiting Area Queue Management System 1.0. The issue resides in the ValidateToken function within the file /php/api_patient_checkin.php of the Patient Check-In Module. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-24T01:17:02.587.

Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required. Manipulation of the ValidateToken function enables improper authorization, resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories are documented on VulDB at https://vuldb.com/?ctiid.352481, https://vuldb.com/?id.352481, and https://vuldb.com/?submit.775747, with a public exploit available at https://gist.github.com/HxH404/0ab53ccba44456b5400a5908414f5ab1. The vendor site is reachable at https://www.sourcecodester.com/. The exploit has been made publicly available and could be used for attacks.

EU & UK References

Vulnerability details

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It…

more

is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploit of improper authorization in a public-facing web API endpoint (ValidateToken in /php/api_patient_checkin.php) directly enables initial access via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1226Shared CWE-266, CWE-285
CVE-2026-1597Shared CWE-266, CWE-285
CVE-2025-8756Shared CWE-266, CWE-285
CVE-2026-2105Shared CWE-266, CWE-285
CVE-2025-1815Shared CWE-266, CWE-285
CVE-2025-0484Shared CWE-266, CWE-285
CVE-2026-3724Shared CWE-266, CWE-285
CVE-2026-5642Shared CWE-266, CWE-285
CVE-2026-2896Shared CWE-266, CWE-285
CVE-2025-2359Shared CWE-266, CWE-285

Affected Assets

Sourcecodester
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly mitigating the improper authorization flaw in the ValidateToken function.

prevent

Requires identification, reporting, and correction of flaws like the improper authorization vulnerability in /php/api_patient_checkin.php.

prevent

Limits access to only authorized privileges necessary for tasks, reducing the impact of unauthorized access via the flawed token validation.

References