PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46407 givanz CVE debrief

**Executive Summary:** CVE-2026-46407 is a HIGH severity (CVSS 8.1) authorization bypass vulnerability in Vvveb CMS affecting versions prior to 1.0.8.3. An authenticated administrator can exploit a missing authorization check on the backend `admin/auth-token` endpoint to enumerate and retrieve REST API tokens belonging to other administrators, leading to sensitive credential disclosure and potential privilege escalation. The vulnerability was disclosed on 2026-05-15 and patched in version 1.0.8.3. No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
givanz
Product
Vvveb
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running Vvveb CMS versions prior to 1.0.8.3 with multiple administrator accounts; security teams monitoring for insider threats or compromised admin credentials; compliance teams concerned with unauthorized access to administrative credentials and API security.

Technical summary

The Vvveb CMS backend `admin/auth-token` endpoint fails to properly validate that the requesting administrator is authorized to access the specified `admin_id` parameter. An authenticated administrator can supply arbitrary `admin_id` values to retrieve REST API token lists for other administrator accounts. This constitutes an Insecure Direct Object Reference (IDOR) variant (CWE-639) where user-controlled input (admin_id) is used to access resources without adequate authorization checks. The disclosed API tokens can then be used to impersonate other administrators, potentially escalating privileges or accessing sensitive administrative functions. The vulnerability is remotely exploitable with low complexity, requiring only valid administrator credentials.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Vvveb CMS to version 1.0.8.3 or later to remediate this vulnerability.
  • Review REST API token logs for unauthorized access attempts or anomalous token enumeration activity by administrators.
  • Audit administrator accounts for compromised credentials if suspicious token access is detected.
  • Implement principle of least privilege for administrator accounts and restrict access to the admin/auth-token endpoint where possible.
  • Monitor for unauthorized API token usage following potential credential disclosure.

Evidence notes

The vulnerability description and fix version are sourced from the official GitHub Security Advisory (GHSA-5g3g-x6mf-pwr6) referenced in NVD. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) confirms network accessibility with low attack complexity, requiring only low-privileged authenticated access. CWE-639 (Authorization Bypass Through User-Controlled Key) is the assigned weakness. The vendor is identified as the Vvveb project (givanz/Vvveb on GitHub).

Official resources

2026-05-15