CVE-2026-40551

mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/04/CVE-2026-40550/
https://www.mpgabinet.pl/

Configurations

No configuration.

History

28 Apr 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-28 14:16

Updated : 2026-04-28 20:20

NVD link : CVE-2026-40551

Mitre link : CVE-2026-40551

CVE.ORG link : CVE-2026-40551

JSON object : View

Products Affected

No product.

CWE

CWE-603

Use of Client-Side Authentication

{"id": "CVE-2026-40551", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "cvd@cert.pl"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-28T14:16:13.510", "references": [{"url": "https://cert.pl/posts/2026/04/CVE-2026-40550/", "source": "cvd@cert.pl"}, {"url": "https://www.mpgabinet.pl/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-603"}]}], "descriptions": [{"lang": "en", "value": "mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. \n\nThis issue affects mpGabinet version 23.12.19 and below."}], "lastModified": "2026-04-28T20:20:09.767", "sourceIdentifier": "cvd@cert.pl"}

CVE-2026-40551

JSON object

Attach tags to CVE-2026-40551

Attach tags to `CVE-2026-40551`