EIP-2026-104189

PRE-CVE

Broken Access Control - on NodeBB v3.6.7

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-104189. PoCs published by Vibhor Sharma.

AI-analyzed exploit summary The writeup describes a broken access control vulnerability in NodeBB v3.6.7, where an attacker can manipulate JSON response parameters to gain unauthorized access to admin-restricted tabs. The steps involve intercepting and modifying specific attributes in the group section response.

Description

Broken Access Control - on NodeBB v3.6.7

Exploits (1)

exploitdb WRITEUP

by Vibhor Sharma · textwebappsmultiple

https://www.exploit-db.com/exploits/51930

View Code ZIP pw:eip

The writeup describes a broken access control vulnerability in NodeBB v3.6.7, where an attacker can manipulate JSON response parameters to gain unauthorized access to admin-restricted tabs. The steps involve intercepting and modifying specific attributes in the group section response.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: NodeBB v3.6.7

Auth required

Prerequisites: User account with minimal privileges · Access to the group section · Ability to intercept and modify HTTP responses

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026