Home

Description

An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from: '/api/suppliers/v1/suppliers//false' to list user information; and '/#/supplier-registration/supplier-registration//2' to update your user information (personal details, documents, etc.).

PUBLISHED Reserved 2026-04-07 | Published 2026-04-22 | Updated 2026-04-22 | Assigner INCIBE




HIGH: 7.6CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status
unaffected

5
affected

5.30.07
unaffected

Credits

Alejandro Rivera León finder

References

www.incibe.es/...ces/aviso/multiple-vulnerabilities-fullstep patch

cve.org (CVE-2026-5750)

nvd.nist.gov (CVE-2026-5750)

Download JSON