IDOR Flaws in MphRx Minerva Expose User Data and Enable Account Takeover
MphRx's Minerva 3.6.0 was found to contain two high-severity insecure direct object reference vulnerabilities, tracked as CVE-2026-5779 and CVE-2026-5780, that let authenticated users bypass authorization controls. The first issue affects the /minerva/user/updateUserProfile endpoint and allows a logged-in user to modify another registered user's profile information. The second affects /minerva/moUser/show/, where changing an ID parameter can expose other users' data, including user listings, without proper access checks.
The profile-modification flaw can be chained with the /webconnect/#/forgotPassword function to trigger password resets for other users, creating a path to full account takeover. Both CVEs were classified under CWE-284 and published through CVE records referencing an INCIBE-CERT advisory on multiple vulnerabilities in Minerva, with scoring that indicates low attack complexity, low privileges required, and significant confidentiality and integrity impact.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-5779 and CVE-2026-5780 are published
New CVE entries were published for two high-severity vulnerabilities in MphRx Minerva 3.6.0. CVE-2026-5779 described unauthorized modification of other users' profiles with possible account takeover chaining, while CVE-2026-5780 described unauthorized access to other users' data through ID parameter manipulation.
INCIBE publishes advisory on multiple MphRx Minerva vulnerabilities
INCIBE published a notice covering multiple vulnerabilities in MphRx's Minerva product, including the two IDOR flaws later tracked as CVE-2026-5779 and CVE-2026-5780. The advisory documented risks including unauthorized access to user data and potential account takeover through password-reset abuse.
INCIBE receives CVE reports for Minerva IDOR vulnerabilities
On 2026-04-28, CVE coordination at INCIBE received reports for two insecure direct object reference vulnerabilities affecting MphRx Minerva 3.6.0. The issues involved unauthorized profile modification via '/minerva/user/updateUserProfile' and unauthorized data access via '/minerva/moUser/show/'.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Authorization and CSRF Vulnerabilities in Admidio
Several newly disclosed **Admidio** vulnerabilities allow unauthorized or improperly authorized state-changing actions in core modules handling roles, documents, and forums. One flaw in `modules/groups-roles/groups_roles.php` is a **CSRF** issue that can let an attacker trick an authenticated user with `rol_assign_roles` privileges into activating, deactivating, or deleting organizational roles because the server does not properly enforce anti-CSRF validation for some sensitive requests. Additional Admidio issues stem from **missing authorization checks** on destructive actions, allowing operations to proceed after insufficient validation. In the documents module, `modules/documents-files.php` uses read-access checks such as `getFolderForDownload()` and `getFileForDownload()` before executing `folder_delete` and `file_delete`, which can let any user who can view a file or folder delete it; in public-mode configurations, that can extend to **unauthenticated deletion** of public content. In the forum module, `modules/forum.php` validates a CSRF token for `topic_delete` and `post_delete` actions but fails to verify whether the requester is actually authorized to delete the targeted content, enabling arbitrary forum post or topic deletion. A separate disclosure affecting **Campus Educativa** describes an **IDOR** at `/administracion/admin_usuarios.cgi` that exposes enrolled-user data through brute-forced course IDs, but that is a different product and incident and should be treated separately.
Mar 20, 2026
Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of `/projects/hospital/admin/complaints.php` (CVE-2025-41004), the 'keyword' parameter of `/memsdemo/exchange_offers.php` (CVE-2025-41005), and the 'phone' parameter of `/memsdemo/login.php` (CVE-2025-41006`). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in `/projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available. The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
Mar 21, 2026
MinIO flaws enabled forged OIDC tokens and LDAP brute-force to seize S3 access
MinIO disclosed two high-severity authentication vulnerabilities that could let attackers obtain unauthorized access to S3 data and administrative functions. **CVE-2026-33322** affects OpenID Connect authentication in versions from `RELEASE.2022-11-08T05-27-07Z` through versions before `RELEASE.2026-03-17T21-25-16Z`, where a JWT algorithm confusion issue allows an attacker who knows the OIDC `ClientSecret` to forge identity tokens and obtain S3 credentials with arbitrary policies, including `consoleAdmin`. The flaw creates a direct path to compromise confidentiality, integrity, and availability across affected MinIO deployments. A second issue, **CVE-2026-33419**, affects the STS `AssumeRoleWithLDAPIdentity` endpoint in MinIO AIStor before `RELEASE.2026-03-17T21-25-16Z`. Distinct error messages enabled LDAP username enumeration, and the absence of rate limiting allowed unlimited password-guessing attempts by an unauthenticated network attacker. If exploited, the weakness could yield temporary AWS-style STS credentials and expose S3 buckets and objects to unauthorized access. MinIO patched both vulnerabilities in `RELEASE.2026-03-17T21-25-16Z`.
Mar 24, 2026