Skip to content
CVSS 8.8 · HIGH

CVE-2026-5781

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.

Ver en NVD

Análisis

This vulnerability affects Minerva, a specialized healthcare information platform, allowing privilege escalation to administrator via a manipulated API request. While the severity is high, the product is a niche vertical solution not commonly used in general software development or DevOps contexts.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-285

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 13.1%
EPSS: 2026-05-06

Afecta

agilonhealth:minerva

Descripción técnica

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.

Publicada: 28/4/2026, 13:19:22
Última modificación: 5/5/2026, 14:24:45

Referencias

InicioEventosBlogRecursosEquipo