PatchSiren cyber security CVE debrief
CVE-2026-2141 WuKongOpenSource CVE debrief
CVE-2026-2141 is an improper authorization vulnerability in WukongCRM. The vulnerability affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability has a significant impact on the security posture of affected systems, and defenders should prioritize patching or mitigating this vulnerability.
- Vendor
- WuKongOpenSource
- Product
- WukongCRM
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-08
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-08
- Advisory updated
- 2026-07-14
Who should care
Users of WukongCRM up to version 11.3.3 should be aware of this vulnerability and take necessary precautions to prevent exploitation. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The vulnerability is caused by improper authorization in the PermissionServiceImpl.java file of the WukongCRM system. This allows remote attackers to exploit the vulnerability and perform unauthorized actions. The affected product is WukongCRM up to version 11.3.3, and the vulnerability affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler.
Defensive priority
Medium
Recommended defensive actions
- Inventory and verify affected WukongCRM installations
- Apply vendor patches or updates when available
- Implement compensating controls to restrict access to sensitive areas
- Monitor for suspicious activity and exception tracking
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-08T08:15:52.230Z and was last modified on 2026-07-14T15:02:10.033Z. The NVD entry is currently Analyzed. The evidence provided is limited, and further verification is needed to confirm the affected scope and severity. Defenders should verify the official CVE record and NVD entry for the latest information.
Official resources
-
CVE-2026-2141 CVE record
CVE.org
-
CVE-2026-2141 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Permissions Required, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-08T08:15:52.230Z and has not been modified since then. The NVD entry is currently Analyzed.