CVE-2026-7491

High

Published: 02 May 2026

Published

02 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 13.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7491 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Org (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Information Repositories (T1213) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to information and resources, directly preventing IDOR exploitation by blocking unauthorized read and modification of other users' data.

AC-25 Reference Monitor good match

prevent

AC-25 implements a tamperproof reference monitor for access control policy enforcement, ensuring complete mediation of direct object references to mitigate parameter manipulation in this IDOR.

AC-24 Access Control Decisions good match

prevent

AC-24 mandates explicit authorization decisions for access to system resources like other users' data, countering the unauthorized access enabled by modifying the vulnerable parameter.

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection

Adversaries may leverage information repositories to mine valuable information.

attack.mitre.org →

T1565 Data Manipulation Impact

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

IDOR enables unauthorized read/modification of other users' data via parameter manipulation in the app, directly facilitating data collection from information repositories (T1213) and stored data manipulation (T1565).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.

Deeper analysisAI

CVE-2026-7491 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in the School App developed by Zyosoft. Published on 2026-05-02T10:16:19.107, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The issue enables authenticated remote attackers to modify a specific parameter, resulting in unauthorized read and modification access to other users' data.

Attackers require low-privilege authenticated access (PR:L) to exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation allows high-impact compromise of confidentiality (C:H) and integrity (I:H) by reading and altering other users' data, while availability remains unaffected (A:N) and scope is unchanged (S:U).

Mitigation guidance is provided in advisories from TWCERT/CC, accessible at https://www.twcert.org.tw/en/cp-139-10897-64257-2.html and https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html.