CVE-2026-3185: Sz-boot-parent Auth Bypass Vulnerability

CVE-2026-3185 Overview

CVE-2026-3185 is an authorization bypass vulnerability affecting sz-boot-parent, a Spring Boot-based admin framework developed by szadmin. The vulnerability exists in the /api/admin/sys-message/ API endpoint, where manipulation of the messageId parameter allows attackers to access messages belonging to other users. This is a classic Insecure Direct Object Reference (IDOR) vulnerability that enables unauthorized access to sensitive message data through message ID enumeration.

The flaw stems from missing ownership verification when processing message retrieval requests. An authenticated attacker can exploit this vulnerability remotely by manipulating the messageId parameter to enumerate and access messages that belong to other users, bypassing intended authorization controls.

Critical Impact

Remote attackers can bypass authorization controls to access other users' messages through message ID enumeration, potentially exposing sensitive communication data.

Affected Products

• szadmin sz-boot-parent versions 1.0.0-beta through 1.3.2-beta
• All beta releases prior to version 1.3.3-beta
• Applications built on vulnerable sz-boot-parent framework versions

Discovery Timeline

• 2026-02-25 - CVE-2026-3185 published to NVD
• 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-3185

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key). The affected API endpoint /api/admin/sys-message/ fails to validate that the requesting user owns or has permission to access the message identified by the messageId parameter.

The attack is network-accessible and requires no user interaction. An authenticated attacker can systematically enumerate message IDs to retrieve messages belonging to other users. The exploit has been publicly disclosed, increasing the risk of active exploitation against unpatched systems.

According to the vendor's response, the fix implements "message ownership verification, so that users can only query messages related to themselves." This confirms the root cause was a lack of proper authorization checks when retrieving message content.

Root Cause

The vulnerability originates from missing ownership validation in the message retrieval functionality. The API endpoint accepts a messageId parameter and returns the corresponding message without verifying that the authenticated user has authorization to access that specific message. This allows any authenticated user to access any message in the system by simply guessing or enumerating valid message IDs.

The lack of proper access control checks on user-supplied object references is a common authorization flaw in web applications. In this case, the application trusted the user-provided messageId without confirming the requester's relationship to the requested resource.

Attack Vector

The attack is executed remotely over the network by an authenticated user. The attacker manipulates the messageId parameter in requests to the /api/admin/sys-message/ endpoint, iterating through message IDs to access messages belonging to other users.

The following code examples from the security patch demonstrate the fix implementation:

     EXISTS(1001, "已存在"),
     NOT_EXISTS(1002, "不存在"),
     FILE_NOT_EXISTS(1003, "文件不存在"),
-    FILE_UPLOAD_EXT_ERROR(1004, "上传文件类型错误"),
+    FILE_UPLOAD_EXT_ERROR(1004, "文件类型不被允许，请检查文件扩展名和MIME类型"),
     FILE_UPLOAD_SIZE_ERROR(1005, "上传文件大小不能超过10MB"),
     FILE_UPLOAD_ERROR(1006, "上传文件失败"),
     USERNAME_EXISTS(1007, "用户名已存在"),

Source: GitHub Commit aefaabfd

The patch also includes import changes for improved validation:

 package com.sz.core.util;
 
+import com.sz.core.common.enums.CommonResponseEnum;
 import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.util.DigestUtils;
 import org.springframework.web.multipart.MultipartFile;

Source: GitHub Commit aefaabfd

Detection Methods for CVE-2026-3185

Indicators of Compromise

• Unusual patterns of sequential or enumerated requests to /api/admin/sys-message/ endpoint
• Single user accounts accessing large numbers of distinct message IDs
• HTTP 200 responses for message requests that should return 403 Forbidden based on ownership
• Anomalous access patterns showing users retrieving messages outside normal business hours or expected volume

Detection Strategies

• Implement API request monitoring to detect enumeration patterns on message endpoints
• Configure web application firewall rules to alert on sequential messageId parameter manipulation
• Deploy behavioral analytics to identify users accessing abnormally high numbers of messages
• Review application logs for access patterns indicating IDOR exploitation attempts

Monitoring Recommendations

• Enable detailed access logging for the /api/admin/sys-message/ endpoint with user identity correlation
• Set up alerts for failed authorization attempts if ownership checks are partially implemented
• Monitor for anomalous API call volumes from individual authenticated sessions
• Implement rate limiting on message retrieval endpoints to slow enumeration attacks

How to Mitigate CVE-2026-3185

Immediate Actions Required

• Upgrade sz-boot-parent to version 1.3.3-beta or later immediately
• Review access logs for evidence of exploitation prior to patching
• Audit all API endpoints for similar IDOR vulnerabilities in custom code
• Implement temporary rate limiting on the affected endpoint if immediate upgrade is not possible

Patch Information

The vulnerability is addressed in sz-boot-parent version 1.3.3-beta. The fix is identified by commit hash aefaabfd7527188bfba3c8c9eee17c316d094802 and implements message ownership verification to ensure users can only query messages related to themselves.

The vendor was notified before public disclosure and responded professionally by implementing the fix. Organizations should upgrade to version 1.3.3-beta by obtaining the release from the official GitHub repository.

Workarounds

• Implement a reverse proxy or web application firewall rule to block requests to /api/admin/sys-message/ until patching is complete
• Add custom authorization middleware that validates message ownership before allowing access
• Restrict access to the admin message API to trusted IP ranges as a temporary measure
• Disable the message functionality entirely if it is not business-critical while awaiting the upgrade

# Example nginx rate limiting configuration for affected endpoint
limit_req_zone $binary_remote_addr zone=message_limit:10m rate=10r/m;

location /api/admin/sys-message/ {
    limit_req zone=message_limit burst=5 nodelay;
    # Additional proxy configuration
}