Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Feiyuchuixue sz-boot-parent API Endpoint Allows Unauthorized Access
CVE-2026-3185
Summary
A vulnerability in the feiyuchuixue sz-boot-parent API Endpoint allows an attacker to bypass authorization checks, potentially giving them access to sensitive information. This issue affects versions up to 1.3.2-beta and can be exploited remotely. To fix the issue, update to version 1.3.3-beta or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| szadmin | sz-boot-parent | <= 0.9.0 | – |
| szadmin | sz-boot-parent | 1.0.0 | – |
| szadmin | sz-boot-parent | 1.0.1 | – |
| szadmin | sz-boot-parent | 1.0.2 | – |
| szadmin | sz-boot-parent | 1.1.0 | – |
| szadmin | sz-boot-parent | 1.2.0 | – |
| szadmin | sz-boot-parent | 1.2.1 | – |
| szadmin | sz-boot-parent | 1.2.2 | – |
| szadmin | sz-boot-parent | 1.2.3 | – |
| szadmin | sz-boot-parent | 1.2.4 | – |
| szadmin | sz-boot-parent | 1.2.5 | – |
| szadmin | sz-boot-parent | 1.2.6 | – |
| szadmin | sz-boot-parent | 1.3.0 | – |
| szadmin | sz-boot-parent | 1.3.1 | – |
| szadmin | sz-boot-parent | 1.3.2 | – |
Original title
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the...
Original description
A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves."
nvd CVSS2.0
5.0
nvd CVSS3.1
5.3
nvd CVSS4.0
5.5
Vulnerability type
CWE-285
Improper Authorization
CWE-639
Authorization Bypass Through User-Controlled Key
- https://github.com/feiyuchuixue/sz-boot-parent/ Product
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9ee... Patch
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta Release Notes
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-IDOR_Message_ID_Enumerati... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.347743 Permissions Required Third Party Advisory VDB Entry
- https://vuldb.com/?id.347743 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.754036 Third Party Advisory VDB Entry
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026