CVE-2026-2851 Overview
A vulnerability has been identified in the Yeqifu Warehouse application affecting the Inport Endpoint component. This improper access control vulnerability exists in the InportController.java file, specifically within the addInport, updateInport, and deleteInport functions. The vulnerability allows attackers to manipulate import operations without proper authorization checks, potentially leading to unauthorized data modification or deletion.
Critical Impact
Attackers can remotely exploit this improper access control vulnerability to manipulate import operations, potentially compromising data integrity within the warehouse management system.
Affected Products
- yeqifu warehouse (all versions up to commit aaf29962ba407d22d991781de28796ee7b4670e4)
Discovery Timeline
- February 20, 2026 - CVE CVE-2026-2851 published to NVD
- February 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2851
Vulnerability Analysis
This vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), indicating that the application fails to properly enforce access controls on critical import management functions. The affected component is the Inport Endpoint located at dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\InportController.java.
The vulnerability allows authenticated users with low privileges to perform operations that should require higher authorization levels. This affects three key functions: addInport, updateInport, and deleteInport, which handle the creation, modification, and removal of import records respectively. Without proper access control checks, any authenticated user can manipulate these records regardless of their intended permission level.
The exploit has been publicly disclosed through a GitHub Issue Discussion, increasing the risk of exploitation. The project maintainers were notified but have not yet responded to the security report.
Root Cause
The root cause of this vulnerability is the absence of proper authorization validation within the Inport Endpoint controller functions. The addInport, updateInport, and deleteInport methods do not adequately verify whether the requesting user has sufficient privileges to perform these operations. This is a classic example of broken access control where the application assumes authentication alone is sufficient for authorization.
Attack Vector
The attack vector is network-based, requiring the attacker to have low-level authenticated access to the application. From there, the attacker can send crafted HTTP requests to the Inport Endpoint to perform unauthorized operations on import records. The attack does not require user interaction and can be executed remotely against any exposed instance of the Yeqifu Warehouse application.
The exploitation path involves:
- Obtaining valid low-privilege credentials or session
- Sending manipulated requests to the /inport endpoint
- Executing addInport, updateInport, or deleteInport operations without proper authorization
- Modifying or deleting import records that should be protected
Detection Methods for CVE-2026-2851
Indicators of Compromise
- Unexpected modifications or deletions of import records in the warehouse system
- Anomalous API calls to /inport endpoints from low-privilege user accounts
- Audit logs showing addInport, updateInport, or deleteInport operations by unauthorized users
- Unusual patterns of bulk import record manipulation
Detection Strategies
- Monitor API access logs for requests to the Inport Endpoint from users without appropriate privileges
- Implement alerting on any DELETE or PUT requests to import-related endpoints from non-administrative accounts
- Review application audit trails for unauthorized data modifications in the import module
- Deploy web application firewall (WAF) rules to detect and block suspicious manipulation attempts
Monitoring Recommendations
- Enable detailed logging for all Inport Endpoint operations including user identity and action timestamps
- Configure SIEM rules to correlate authentication events with subsequent high-privilege operations
- Implement anomaly detection for unusual patterns of import record access or modification
- Regularly audit user permissions and access control configurations
How to Mitigate CVE-2026-2851
Immediate Actions Required
- Review and restrict network access to the Yeqifu Warehouse application to trusted sources only
- Implement additional authentication layers or access controls at the network/infrastructure level
- Audit existing import records for signs of unauthorized modification
- Consider temporarily disabling the Inport Endpoint functionality until a proper fix is available
Patch Information
As of the last update, the Yeqifu Warehouse project uses a rolling release model without versioned releases. The project maintainers have been notified of this vulnerability through a GitHub Issue but have not yet responded or released a patch. Users should monitor the GitHub Project Repository for updates and apply any security fixes as soon as they become available.
Workarounds
- Implement a reverse proxy or API gateway with role-based access control to enforce authorization before requests reach the application
- Add application-level middleware to validate user privileges before processing Inport Endpoint requests
- Restrict access to the vulnerable endpoints using firewall rules or network segmentation
- Deploy SentinelOne Singularity to monitor for exploitation attempts and provide runtime application protection
Since no verified code examples are available for this vulnerability, organizations should review the GitHub Issue Details for technical specifics and implement access control enforcement at the controller level for the affected functions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
