CVE-2026-31271

CRITICAL

megagao production_ssm 1.0 - Auth Bypass

Title source: llm

Description

megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise.

References (1)

https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-288

Status published

Published Apr 07, 2026

Tracked Since Apr 07, 2026