How is CVE-2026-36720 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the bookcars service via standard network connectivity. Authentication (required): A valid low-privilege user account is required, but no elevated or administrative credentials are needed to attempt the privilege escalation. Victim interaction (not-required): No user interaction or social engineering is involved; the attacker acts entirely on their own without needing any target user to take an action. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward, repeatable, and does not depend on race conditions or specific environmental configuration.

What is the impact of CVE-2026-36720?

An attacker gains administrator-level access to the bookcars application, unlocking all administrative functions and data. With elevated privileges, the attacker reads sensitive application data including user records, booking histories, and any stored credentials or tokens. The attacker can modify application data, including user accounts, bookings, pricing, and system configuration, with no logging or approval barrier once privilege escalation is complete.

Back to search

HIGHCVE-2026-36720Published 2026-06-09Modified 2026-06-09CNA mitre

CVE-2026-36720: Insecure permissions in bookcars v8

Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An insecure permissions vulnerability in bookcars v8.3 allows an authenticated attacker to escalate their own privileges from a regular user account to administrator level by modifying the user type field directly. The vulnerability is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker full administrative access, enabling read and modification of data across the application. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-36720 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that package bookcars v8.3. Coverage extends to images in both connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available as part of the standard workflow.

Available

Patch

No fix version has been published upstream, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, the affected image surfaces in each customer's open vulnerability queue for manual review and compensating-control action.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the bookcars service via standard network connectivity.
AuthenticationRequired
A valid low-privilege user account is required, but no elevated or administrative credentials are needed to attempt the privilege escalation.
Victim interactionNot required
No user interaction or social engineering is involved; the attacker acts entirely on their own without needing any target user to take an action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward, repeatable, and does not depend on race conditions or specific environmental configuration.

Blast Radius

An attacker gains administrator-level access to the bookcars application, unlocking all administrative functions and data.
With elevated privileges, the attacker reads sensitive application data including user records, booking histories, and any stored credentials or tokens.
The attacker can modify application data, including user accounts, bookings, pricing, and system configuration, with no logging or approval barrier once privilege escalation is complete.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-36720, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as a fix version is released. In the meantime, customers running bookcars v8.3 images can use HarborGuard's policy controls to flag the image as non-compliant and block its promotion through CI/CD pipelines. Recommended compensating controls include applying network policy rules that restrict which internal services can reach the bookcars API, enforcing strict input validation or WAF rules on the user-type parameter at the perimeter, and reviewing access logs for unexpected privilege changes in existing deployments. For customers with auto-remediation enabled, a rebuild and regression run will trigger and a PR will be opened against affected workloads as soon as an upstream patch is available.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

github.com

Metrics

Get notified