Vvveb CMS API Token Disclosure (CVE-2026-46407) High Severity
The National Vulnerability Database reports a high-severity vulnerability, CVE-2026-46407, in the Vvveb CMS. This flaw, present in versions prior to 1.0.8.3, allows an authenticated administrator to gain unauthorized access to other administrators’ REST API token lists. The vulnerability specifically affects the backend admin/auth-token endpoint.
By supplying another administrator’s admin_id, an attacker can retrieve sensitive API tokens. This is a critical information disclosure vulnerability (CWE-639) that could lead to broader compromise, as these tokens often grant extensive access to the CMS and its integrated services. The National Vulnerability Database assigns it a CVSS score of 8.1 (HIGH).
This isn’t just about API token exposure; it’s about privilege escalation. If an attacker compromises a lower-privileged admin account, they can leverage this vulnerability to effectively become any other administrator on the system, bypassing intended access controls. The fix is available in Vvveb version 1.0.8.3.
What This Means For You
- If your organization uses Vvveb CMS, you need to immediately verify your version. If it's prior to 1.0.8.3, patch to the latest version without delay. Additionally, audit your administrator accounts and revoke any API tokens that may have been exposed. Assume compromise if you were running an unpatched version.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Vvveb CMS Admin Auth Token Disclosure - CVE-2026-46407
title: Vvveb CMS Admin Auth Token Disclosure - CVE-2026-46407
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects requests to the Vvveb CMS /admin/auth-token endpoint with a GET method and a 200 status code, specifically looking for the presence of the 'admin_id=' parameter in the query string. This pattern is indicative of an attacker attempting to exploit CVE-2026-46407 by querying for other administrators' API tokens.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-46407/
tags:
- attack.privilege_escalation
- attack.t1078.002
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/admin/auth-token'
cs-method:
- 'GET'
sc-status:
- 200
selection_indicators:
cs-uri-query|contains:
- 'admin_id='
condition: selection AND selection_indicators
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-46407 | Information Disclosure | Vvveb CMS versions prior to 1.0.8.3 |
| CVE-2026-46407 | Information Disclosure | Vvveb CMS backend endpoint: admin/auth-token |
| CVE-2026-46407 | Information Disclosure | Disclosure of REST API tokens via admin_id parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...