CVE-2026-6105
Published: 11 April 2026
Summary
CVE-2026-6105 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Gitee (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing exploitation of the improper authorization in the doInstall interface.
Applies least privilege principle to block unauthorized actions resulting from incorrect privilege assignment (CWE-266) in the installation controller.
Explicitly identifies and restricts actions performable without identification or authentication, ensuring the doInstall interface requires proper credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper authorization flaw (CWE-266/285) in a public-facing web application allowing remote unauthenticated access to the installation interface, directly enabling exploitation of public-facing applications.
NVD Description
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit…
more
has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-6105 is an improper authorization vulnerability affecting perfree go-fastdfs-web versions up to 1.3.7. The issue resides in an unknown part of the file src/main/java/com/perfree/controller/InstallController.java, specifically within the doInstall interface component. It corresponds to CWEs-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), with a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), published on 2026-04-11.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, enabling unauthorized actions through improper privilege handling in the installation interface.
Advisories from VulDB and a Gitee issue tracker detail the vulnerability, noting that an exploit has been publicly disclosed and may be actively used. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are referenced.
Notable context includes the public availability of the exploit, increasing the risk of real-world attacks against exposed instances of the affected software.
Details
- CWE(s)