PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2141 WuKongOpenSource CVE debrief

CVE-2026-2141 is an improper authorization vulnerability in WukongCRM. The vulnerability affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability has a significant impact on the security posture of affected systems, and defenders should prioritize patching or mitigating this vulnerability.

Vendor
WuKongOpenSource
Product
WukongCRM
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-08
Original CVE updated
2026-07-14
Advisory published
2026-02-08
Advisory updated
2026-07-14

Who should care

Users of WukongCRM up to version 11.3.3 should be aware of this vulnerability and take necessary precautions to prevent exploitation. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability is caused by improper authorization in the PermissionServiceImpl.java file of the WukongCRM system. This allows remote attackers to exploit the vulnerability and perform unauthorized actions. The affected product is WukongCRM up to version 11.3.3, and the vulnerability affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler.

Defensive priority

Medium

Recommended defensive actions

  • Inventory and verify affected WukongCRM installations
  • Apply vendor patches or updates when available
  • Implement compensating controls to restrict access to sensitive areas
  • Monitor for suspicious activity and exception tracking
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-02-08T08:15:52.230Z and was last modified on 2026-07-14T15:02:10.033Z. The NVD entry is currently Analyzed. The evidence provided is limited, and further verification is needed to confirm the affected scope and severity. Defenders should verify the official CVE record and NVD entry for the latest information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-08T08:15:52.230Z and has not been modified since then. The NVD entry is currently Analyzed.