{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31272", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-07T17:08:09.932Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-07T17:08:09.932Z"}, "descriptions": [{"lang": "en", "value": "MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication."}], "id": "CVE-2026-31272", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T18:16:41.143", "references": [{"source": "cve@mitre.org", "url": "https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.1.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "mushroom", "vendor": "wuweiit"}], "analysis": {"en": {"generated_at": "2026-04-07T21:38:45.273609+00:00", "value": {"mitigation_remediation": ["Apply an official patch or upgrade MRCMS to a version that enforces proper authorization on the UserController.save() method.", "If a patch is not yet available, restrict network access to the application\u2019s web endpoints, for example by firewall rules or VPN access.", "Monitor application logs for any unauthorized creations of super administrator accounts and investigate promptly.", "Apply general security hardening: enforce strong authentication, use HTTPS, and keep the application server up to date with the latest security patches."], "summary": {"action": "Immediate Patch", "impact": "Elevation of Privileges"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the web application backend of MRCMS, version 3.1.2. No other vendor or product information is provided.", "description_and_impact": "The flaw lies in the save() method of the UserController class in MRCMS 3.1.2. Because the method does not perform proper authorization checks, an unauthenticated user can submit a request that creates a new super administrator account. This grants an attacker full control over the application, enabling modification of data, configuration, and addition or deletion of other users. The lack of authentication or privilege checks allows a direct escalation of privileges, compromising confidentiality, integrity, and availability of the entire system.", "risk_and_exploitability": "The affected endpoint can be called without any authentication, meaning the attack vector is a simple HTTP request to the web application. Although no official CVSS score is available, the ability to create super administrator accounts represents a high severity vulnerability. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but any system running exposed MRCMS 3.1.2 remains at considerable risk of rapid compromise by an attacker who can add privileged accounts."}}}}, "created": "2026-04-08T19:50:22.684058+00:00", "title": "Access Control Bypass Allowing Creation of Super Administrator Accounts in MRCMS 3.1.2", "updated": "2026-04-09T08:24:32.559358+00:00", "vendors": ["wuweiit", "wuweiit$PRODUCT$mushroom"], "weaknesses": ["CWE-284"]}