CVE-2026-7042
Published: 26 April 2026
Summary
CVE-2026-7042 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly prohibits performing critical functions like the create_app REST API endpoint without identification and authentication, addressing the core missing authentication flaw.
AC-3 enforces approved authorizations requiring authentication for access to the vulnerable REST API endpoint, preventing unauthorized manipulation.
IA-8 mandates identification and authentication for non-organizational users, mitigating remote unauthenticated exploitation of the API by external attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in public-facing REST API endpoint directly matches T1190 for exploiting internet-facing applications to gain unauthorized access.
NVD Description
A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the…
more
attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7042 is a missing authentication vulnerability affecting 666ghj MiroFish versions up to 0.1.2. The flaw exists in the create_app function within the file backend/app/__init__.py of the REST API Endpoint component, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges and can exploit the issue over the network with low attack complexity and no user interaction. Successful exploitation enables limited impacts to confidentiality, integrity, and availability, such as unauthorized access to certain API functions. An exploit has been published and may be actively used.
References indicate the project was notified early via GitHub issue #487 but has not responded or issued patches. VulDB entries detail the vulnerability but provide no mitigation guidance beyond general awareness. Security practitioners should monitor the repository at https://github.com/666ghj/MiroFish/ for updates.
Details
- CWE(s)