CVE-2026-5750 Overview
An insecure direct object reference (IDOR) vulnerability has been identified in the Fullstep V5 registration process. This vulnerability allows authenticated users to access and modify data belonging to other registered users through vulnerable authenticated API endpoints and registration resources within the application. The flaw stems from improper authorization checks on user-specific resources, enabling horizontal privilege escalation.
Critical Impact
Authenticated attackers can access sensitive user information and modify personal details, documents, and registration data belonging to other users, leading to significant data breach and privacy violations.
Affected Products
- Fullstep V5 (Registration Process)
- Fullstep V5 API Supplier Endpoints
- Fullstep V5 Supplier Registration Module
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-5750 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5750
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), which represents a critical authorization flaw in the Fullstep V5 application. The vulnerability allows authenticated users to bypass access controls by manipulating user-controlled identifiers in API requests and registration URLs.
The application fails to properly validate whether the authenticated user has authorization to access the requested resources. Instead, it relies on user-supplied identifiers to determine which data to return or modify, creating a classic IDOR condition that can be exploited for unauthorized data access.
Root Cause
The root cause of this vulnerability lies in insufficient authorization validation within the Fullstep V5 application. The vulnerable endpoints accept user-controlled identifiers without verifying that the authenticated user has legitimate access to the requested resources. This design flaw allows any authenticated user to enumerate and access data belonging to other users simply by modifying the identifier values in API requests.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the Fullstep V5 application. An attacker can exploit this vulnerability through two primary attack vectors:
User Information Disclosure: The API endpoint /api/suppliers/v1/suppliers/<user_id>/false can be manipulated to retrieve information about other registered users by iterating through user identifiers. An attacker can enumerate valid user IDs and extract sensitive supplier information.
User Data Modification: The registration endpoint /#/supplier-registration/supplier-registration/<user_id>/2 allows authenticated users to modify registration data for other users. By substituting another user's identifier, an attacker can update personal details, documents, and other registration information belonging to victims.
The exploitation requires only valid authentication credentials and the ability to guess or enumerate user identifiers, making this a relatively low-complexity attack with potentially high impact on data confidentiality and integrity.
Detection Methods for CVE-2026-5750
Indicators of Compromise
- Unusual access patterns to supplier API endpoints with sequential or enumerated user identifiers
- Authentication logs showing single users accessing multiple distinct supplier profiles in rapid succession
- HTTP requests to /api/suppliers/v1/suppliers/ with varying user IDs from the same session
- Modification attempts on supplier registration records that don't match the authenticated user's profile
Detection Strategies
- Implement application-layer monitoring for API requests that access resources with mismatched user identifiers
- Deploy web application firewall (WAF) rules to detect and alert on parameter manipulation patterns in supplier endpoints
- Enable detailed access logging for all supplier API endpoints and registration resources
- Create correlation rules to identify sessions accessing multiple distinct user profiles
Monitoring Recommendations
- Monitor for anomalous spikes in API requests to supplier information endpoints
- Track and alert on sequential user ID enumeration attempts across the affected endpoints
- Implement session-based anomaly detection to identify users accessing resources beyond their authorization scope
- Review access logs for patterns indicating IDOR exploitation attempts
How to Mitigate CVE-2026-5750
Immediate Actions Required
- Implement proper authorization checks on all affected API endpoints to verify the authenticated user has permission to access the requested resource
- Add server-side validation to ensure users can only access their own supplier profiles and registration data
- Replace predictable sequential user identifiers with non-enumerable tokens or UUIDs where possible
- Conduct a comprehensive security review of all authenticated endpoints for similar IDOR vulnerabilities
Patch Information
Refer to the INCIBE Security Notice for detailed remediation guidance and any available patches from the vendor.
Workarounds
- Implement additional access control layers at the application gateway or reverse proxy level
- Deploy a web application firewall (WAF) with custom rules to block unauthorized cross-user access attempts
- Restrict access to the affected supplier API endpoints to trusted networks or IP ranges until a patch is applied
- Enable enhanced logging and monitoring on vulnerable endpoints to detect exploitation attempts
# Example WAF rule concept for blocking IDOR attempts
# Block requests where the user_id parameter doesn't match the authenticated session
# Implementation varies by WAF platform - consult your vendor documentation
# Log all access to supplier endpoints for forensic analysis
# Enable verbose access logging on:
# - /api/suppliers/v1/suppliers/*
# - /#/supplier-registration/supplier-registration/*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
