CVE-2026-7630
Published: 02 May 2026
Summary
CVE-2026-7630 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific improper authentication flaw in the InnoShop installation endpoint through application of the available patch identified by commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.
Limits or prohibits unauthorized actions without identification and authentication on the vulnerable installation endpoint, directly mitigating the improper authentication bypass.
Enforces approved access authorizations to prevent remote manipulation and exploitation of the flawed InstallServiceProvider::boot function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an improper authentication vulnerability (CWE-287) in the publicly accessible installation endpoint of a web application, allowing remote unauthenticated attackers to bypass authentication mechanisms with no privileges or user interaction required. This directly enables exploitation of public-facing applications.
NVD Description
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible.…
more
The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue.
Deeper analysisAI
CVE-2026-7630 is an improper authentication vulnerability (CWE-287) affecting innocommerce InnoShop versions up to 0.7.8. The issue resides in the InstallServiceProvider::boot function within the file innopacks/install/src/InstallServiceProvider.php, part of the Installation Endpoint component. This flaw allows manipulation that bypasses authentication mechanisms during the installation process.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and no scope change, as indicated by the CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or interference with the installation endpoint.
Mitigation is available via a patch identified by commit hash 45758e4ec22451ab944ae2ae826b1e70f6450dc9 in the innocommerce/innoshop GitHub repository. Security practitioners should apply this update promptly, with further details discussed in GitHub issue #314 and related comments. The exploit has been publicly disclosed and may be in use.
Notable context includes the public availability of the exploit, increasing the risk of active exploitation against unpatched InnoShop instances. No evidence of widespread real-world attacks or AI/ML relevance is reported.
Details
- CWE(s)