Home

Description

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's license.

PUBLISHED Reserved 2026-04-03 | Published 2026-07-08 | Updated 2026-07-09 | Assigner mitre

References

caxperts.com

github.com/...ories/blob/main/2026/CAXSEC-2026-001_portal.md

cve.org (CVE-2026-35552)

nvd.nist.gov (CVE-2026-35552)

Download JSON