CVE-2026-13549 Overview
CVE-2026-13549 is an authorization bypass vulnerability in CodeAstro Complaint Management System 1.0. The flaw resides in the deletereport function of application/controllers/Report.php within the Report Endpoint component. Attackers can manipulate requests to this endpoint to delete arbitrary reports and files without proper authorization checks. The issue is remotely exploitable over the network and a public exploit has been released. The weakness is classified as [CWE-285] Improper Authorization.
Critical Impact
Remote attackers can trigger unauthenticated report and file deletion, resulting in loss of integrity and availability of complaint data.
Affected Products
- CodeAstro Complaint Management System 1.0
- application/controllers/Report.php — Report Endpoint component
- deletereport function
Discovery Timeline
- 2026-06-29 - CVE CVE-2026-13549 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-13549
Vulnerability Analysis
The vulnerability exists in the deletereport handler defined in application/controllers/Report.php. The function accepts a report identifier from the incoming request and executes deletion logic without verifying that the caller is authenticated or authorized to remove the target record. Because the endpoint is reachable over the network, an attacker can invoke the deletion routine directly and remove reports and their associated files. The public proof-of-concept demonstrates unauthenticated arbitrary report and file deletion, expanding the impact beyond a single record to any resource referenced through the endpoint. EPSS data lists a probability of 0.293% with a percentile of 21.03 as of 2026-07-02.
Root Cause
The root cause is missing authorization enforcement in the deletereport controller action. The application relies on the presence of a request parameter to trigger deletion but never validates the session, role, or ownership of the referenced report. This aligns with [CWE-285] Improper Authorization.
Attack Vector
An attacker sends an HTTP request to the deletereport action with a chosen report identifier. The controller invokes the deletion routine, removes the database entry, and unlinks the corresponding uploaded file. No credentials or CSRF tokens are required, and the attack requires only minimal user interaction as reflected in the CVSS 4.0 vector.
// No verified exploit code is available for CVE-2026-13549.
// See the public proof-of-concept in the external references for technical details.
Detection Methods for CVE-2026-13549
Indicators of Compromise
- Unexpected HTTP requests targeting the Report/deletereport route from unauthenticated sessions or unfamiliar source addresses.
- Missing report records in the Complaint Management System database without corresponding administrator activity logs.
- Deleted files under the application's report upload directory that lack a matching audit trail.
Detection Strategies
- Enable web server access logging and alert on requests to application/controllers/Report.php or the /Report/deletereport URL path from non-administrative users.
- Correlate database delete operations on the reports table with authenticated administrator sessions to surface anomalies.
- Deploy a web application firewall rule that flags deletion verbs invoked without a valid session cookie for this application.
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform for cross-source correlation.
- Monitor filesystem changes in the report upload directory using file integrity monitoring.
- Track error rates and 200-status delete responses on the Report endpoint to identify scanning or exploitation attempts.
How to Mitigate CVE-2026-13549
Immediate Actions Required
- Restrict network access to the Complaint Management System to trusted administrative networks until a patched build is deployed.
- Disable or remove the deletereport route at the web server or framework level if deletion is not required in production.
- Review report and file storage for unauthorized deletions and restore missing records from backups.
Patch Information
No vendor patch has been published in the referenced advisories at the time of writing. Consult the CodeAstro Security Resource and the VulDB CVE-2026-13549 entry for updates. Technical details of the flaw are documented in the GitHub CVE PoC Repository.
Workarounds
- Add server-side authentication and role checks to the deletereport action before any database or filesystem operation runs.
- Implement anti-CSRF tokens and require POST requests with a valid session for all destructive endpoints.
- Place the application behind a reverse proxy that enforces authentication and rate limiting on /Report/* routes.
# Example Apache configuration to require authentication on the Report endpoint
<Location "/application/controllers/Report.php">
AuthType Basic
AuthName "Restricted Report Endpoint"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

