CVE-2026-8737 Overview
CVE-2026-8737 is a missing authentication vulnerability in Sanluan PublicCMS version 5.202506.d. The flaw resides in the execute function of publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java, part of the Trade Address Query Handler component. Attackers can manipulate the userId or id arguments to bypass authentication checks and access trade address data remotely. The exploit has been publicly disclosed, increasing the risk of opportunistic abuse. According to the VulDB advisory, the vendor was contacted but did not respond to the disclosure.
Critical Impact
Unauthenticated remote attackers can query trade address records by manipulating user identifier parameters, exposing customer address information stored in PublicCMS deployments.
Affected Products
- Sanluan PublicCMS 5.202506.d
- PublicCMS Trade Address Query Handler component
- Deployments using publiccms-trade module
Discovery Timeline
- 2026-05-17 - CVE-2026-8737 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8737
Vulnerability Analysis
The vulnerability is classified as Missing Authentication for Critical Function [CWE-287]. PublicCMS exposes the TradeAddressListDirective.execute method as a directive endpoint that returns trade address records. The endpoint accepts userId and id parameters as filter arguments, but the handler does not validate the caller's session or correlate the requested userId to an authenticated principal.
An attacker submitting a crafted request directly to the directive URL receives address data tied to arbitrary user identifiers. Because the directive operates on persisted trade records, the disclosure can include shipping addresses, recipient names, and other order-related identifiers entered during checkout flows.
The EPSS probability of 0.047% (14.65 percentile) reflects low current exploitation telemetry, but publication of working exploit details raises the likelihood of automated scanning against exposed PublicCMS instances.
Root Cause
The root cause is the absence of an authentication and authorization check inside the execute method of TradeAddressListDirective.java. The directive resolves the userId and id arguments and queries the address store without first confirming that the request originates from a session whose authenticated user matches the requested userId. PublicCMS directives are reachable through the template directive URL surface, which by design accepts client-supplied parameters.
Attack Vector
Exploitation is performed over the network with no authentication and no user interaction. An attacker issues an HTTP request to the directive endpoint with chosen userId or id values. The server processes the request, retrieves address records matching the supplied identifiers, and returns them in the response body. Identifier enumeration allows broad harvesting of stored address data across user accounts.
No synthetic exploit code is reproduced here. Refer to the VulDB entry #364325 and the VulnPlus disclosure note for handler-level details.
Detection Methods for CVE-2026-8737
Indicators of Compromise
- Unauthenticated HTTP requests targeting PublicCMS directive endpoints that include userId or id query parameters
- Sequential or enumerated values of userId from a single client IP within a short window
- Anomalous response sizes from the Trade Address directive correlating with unauthenticated sessions
Detection Strategies
- Inspect web server access logs for directive URL patterns referencing TradeAddressListDirective or the trade/address directive path with no associated authenticated session cookie
- Compare requesting session identity against the userId parameter value to detect mismatches
- Deploy WAF rules that block requests to the Trade Address directive when the session does not carry an authenticated PublicCMS user token
Monitoring Recommendations
- Monitor for spikes in 200-status responses from the publiccms-trade directive paths
- Alert on enumeration patterns where many distinct userId values are requested from a single source
- Track outbound data volumes from PublicCMS instances to detect bulk address harvesting
How to Mitigate CVE-2026-8737
Immediate Actions Required
- Restrict network exposure of the PublicCMS Trade Address directive endpoint to authenticated internal sessions only
- Place PublicCMS behind a reverse proxy or WAF that enforces authentication before reaching the /directive/ URL space
- Audit application logs for prior unauthenticated access to the Trade Address handler and notify impacted users if disclosure occurred
Patch Information
No vendor patch has been published. VulDB reports that Sanluan was contacted but did not respond to the disclosure. Operators running PublicCMS 5.202506.d should track the Sanluan PublicCMS repository for an upstream fix and consider applying a local patch that adds a session check to the execute method of TradeAddressListDirective.java.
Workarounds
- Add an authentication guard in TradeAddressListDirective.execute that rejects requests when the session principal does not match the supplied userId
- Disable or remove the publiccms-trade module if trade functionality is not in use
- Configure reverse proxy access control lists to block public access to the Trade Address directive path
# Example nginx rule blocking unauthenticated access to the trade address directive
location ~* /directive/trade/tradeAddressList {
if ($http_cookie !~* "JSESSIONID=") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
