CVE-2026-7491:
CVE-2026-7491 is an Insecure Direct Object Reference (IDOR) vulnerability in the School App developed by Zyosoft that allows authenticated remote attackers to read and modify other users' data by manipulating a specific parameter.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:11%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
CVE-2026-7491 is an Insecure Direct Object Reference (IDOR) vulnerability in the School App developed by Zyosoft that allows authenticated remote attackers to read and modify other users' data by manipulating a specific parameter.
Overview
CVE-2026-7491 affects the School App developed by Zyosoft and is rooted in an Insecure Direct Object Reference (IDOR) flaw, classified as CWE-639. The vulnerability arises from insufficient server-side authorization validation when processing user-controlled object reference parameters. Once authenticated, an attacker can modify these parameters to reference objects belonging to other users, thereby gaining unauthorized read and write access to their data. The attack requires no special privileges beyond a standard authenticated session, no user interaction, and can be carried out remotely over a network with low complexity. This results in high impact to both confidentiality and integrity of user data within the application, making it a significant risk for any deployment of this software.
Remediation
- To remediate CVE-2026-7491, the vendor Zyosoft should implement robust server-side authorization checks that validate whether the currently authenticated user is permitted to access or modify the requested object before processing any request. Object references should be tied to the session context of the authenticated user, ensuring users cannot enumerate or access resources belonging to others. Indirect reference maps or access control lists should be employed to prevent direct manipulation of internal object identifiers. Users and administrators of the School App should apply any patches or updates released by Zyosoft promptly, monitor application logs for anomalous access patterns indicative of IDOR exploitation, and review user data for signs of unauthorized access or modification until a patch is applied.
References
- - [TWCERT/CC Advisory (English) - CVE-2026-7491](https://www.twcert.org.tw/en/cp-139-10897-64257-2.html)
- - [TWCERT/CC Advisory (Traditional Chinese) - CVE-2026-7491](https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html)
- - [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
- - [OWASP: Insecure Direct Object Reference](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References)
- - [NVD Entry for CVE-2026-7491](https://nvd.nist.gov/vuln/detail/CVE-2026-7491)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
