CVE-2026-31071 Overview
CVE-2026-31071 is a missing authentication vulnerability [CWE-306] in the LalanaChami Pharmacy Management System at commit 5c3d028. The application exposes backend API routes without any authentication middleware. Unauthenticated remote attackers can query /api/user/getUserData to dump every user record, including bcrypt password hashes. The same flaw lets attackers modify drug inventory and read private medical prescription data through /api/doctorOder.
Critical Impact
Remote, unauthenticated attackers can exfiltrate credential hashes and protected health information, and tamper with pharmacy inventory data over the network.
Affected Products
- LalanaChami Pharmacy Management System (backend routes at commit 5c3d02888631166649856f71d542387114b3010b)
- /api/user/getUserData endpoint
- /api/doctorOder endpoint
Discovery Timeline
- 2026-05-19 - CVE-2026-31071 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-31071
Vulnerability Analysis
The backend routes in the LalanaChami Pharmacy Management System are registered directly against the Express router without any authentication or authorization guard. Any client that can reach the server can invoke sensitive endpoints. A request to /api/user/getUserData returns the full user collection, including bcrypt password hashes that an attacker can carry offline for cracking. The /api/doctorOder route exposes prescription records, which constitute regulated medical data. Other routes accept write operations against the drug inventory, allowing attackers to add, modify, or remove stock entries.
This is an API authorization failure rather than a memory or injection bug. The vulnerability class falls under Broken Access Control and Missing Authentication for Critical Function [CWE-306].
Root Cause
The route handlers in the backend/routes directory do not chain an authentication middleware before the controller functions. There is no JWT verification, session check, or role enforcement. Endpoints that should be restricted to authenticated staff, doctors, or administrators are reachable by any anonymous HTTP client.
Attack Vector
The attack vector is network based and requires no user interaction or prior credentials. An attacker only needs HTTP reachability to the backend service. Typical exploitation issues a GET request to /api/user/getUserData to harvest user records and bcrypt hashes, then issues further requests against /api/doctorOder to read prescriptions or against inventory routes to modify drug data. See the GitHub Gist Code Snippet and the GitHub Project Repository for the affected route definitions.
Detection Methods for CVE-2026-31071
Indicators of Compromise
- Unauthenticated HTTP requests to /api/user/getUserData returning large JSON payloads containing user records.
- Requests to /api/doctorOder from IP addresses that have not completed any login flow.
- Outbound responses from the backend containing fields named password or bcrypt-formatted strings beginning with $2a$, $2b$, or $2y$.
- Unexpected POST, PUT, or DELETE operations against drug inventory routes without a preceding authenticated session.
Detection Strategies
- Inspect web server and reverse proxy access logs for requests to sensitive /api/* paths that are not preceded by an authentication request.
- Deploy a web application firewall rule that requires a valid session cookie or Authorization header on all /api/ routes.
- Diff the route definitions in backend/routes against a known-good baseline to confirm whether middleware has been added.
Monitoring Recommendations
- Alert on response sizes from /api/user/getUserData that exceed a normal single-record reply.
- Monitor for repeated enumeration patterns against /api/doctorOder from a single source IP.
- Track inventory mutation events without a corresponding authenticated user identifier in application logs.
How to Mitigate CVE-2026-31071
Immediate Actions Required
- Restrict network exposure of the backend service to trusted networks or place it behind an authenticating reverse proxy until code-level fixes are deployed.
- Rotate all user passwords and invalidate existing sessions, assuming the bcrypt hashes may already be exfiltrated.
- Audit access logs for prior unauthenticated calls to /api/user/getUserData, /api/doctorOder, and drug inventory routes.
Patch Information
No vendor patch is referenced in the published advisory. Operators must add authentication middleware to the affected routes in the backend/routes directory and validate user roles before executing controller logic. Review the GitHub Project Repository to identify every route that lacks a guard.
Workarounds
- Place the application behind a reverse proxy that enforces authentication on all /api/ paths.
- Apply network ACLs so that only authorized clinical workstations can reach the backend port.
- Temporarily disable the /api/user/getUserData and /api/doctorOder routes if they are not required for production workflows.
# Example Express middleware enforcing JWT on all /api routes
# Add this before route registration in the backend entry point
app.use('/api', (req, res, next) => {
const token = req.headers['authorization']?.split(' ')[1];
if (!token) return res.status(401).json({ error: 'Unauthorized' });
try {
req.user = jwt.verify(token, process.env.JWT_SECRET);
return next();
} catch (err) {
return res.status(401).json({ error: 'Invalid token' });
}
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
