Skip to content
CVSS 8.8 · HIGH

CVE-2026-5779

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.

Ver en NVD

Análisis

This vulnerability affects a niche healthcare-specific platform (Minerva by MphRx/agilonhealth). While the account takeover impact is significant, the product is a vertical SaaS solution rather than a general-purpose tool used by the broad development community.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-284

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 13.1%
EPSS: 2026-05-06

Afecta

agilonhealth:minerva

Descripción técnica

An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.

Publicada: 28/4/2026, 13:19:22
Última modificación: 5/5/2026, 14:20:48

Referencias

InicioEventosBlogRecursosEquipo