How is CVE-2026-5228 exploited?

Network reachability (required): The attacker must reach the WriteUp Mobile App service over the network; local or physical access is not required. Authentication (required): Any low-privilege account is sufficient; no admin or elevated credentials are needed to trigger the access control bypass. Victim interaction (not-required): The attacker does not need any action from another user to exploit this vulnerability. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or environmental constraints that must be satisfied.

What is the impact of CVE-2026-5228?

Reads application data the authenticated user is not authorized to access, including data belonging to other users or restricted functional areas. Writes or modifies application records and content beyond the attacker's authorized scope. Disrupts application availability, potentially rendering the service unusable for legitimate users. Accesses application functionality gated by access control lists, bypassing role or permission enforcement entirely.

Back to search

HIGHCVE-2026-5228Published 2026-06-04Modified 2026-06-04CNA TR-CERT

CVE-2026-5228: Improper Access Control in Kurt Software Studio's WriteUp Mobile App

Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability affects Kurt Software Studio's WriteUp Mobile App, impacting versions 1.3.0 through 04062026. The flaw is reachable over the network by any authenticated user with a low-privilege account, requiring no additional interaction from other users. Successful exploitation gives an attacker full read, write, and availability impact within the application scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as the upstream maintainer publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-5228 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including TR-CERT. This capability covers both third-party base images and custom-built images that bundle the WriteUp Mobile App or its dependencies.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using the published CVSS v3.1 vector and can weight findings against each customer organization's compliance policy to raise or lower alert priority accordingly. Routing to the appropriate team inbox within a customer org is handled automatically based on policy configuration.

Available

Patch

Because no fix version has been published by Kurt Software Studio, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WriteUp Mobile App service over the network; local or physical access is not required.
AuthenticationRequired
Any low-privilege account is sufficient; no admin or elevated credentials are needed to trigger the access control bypass.
Victim interactionNot required
The attacker does not need any action from another user to exploit this vulnerability.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environmental constraints that must be satisfied.

Blast Radius

Reads application data the authenticated user is not authorized to access, including data belonging to other users or restricted functional areas.
Writes or modifies application records and content beyond the attacker's authorized scope.
Disrupts application availability, potentially rendering the service unusable for legitimate users.
Accesses application functionality gated by access control lists, bypassing role or permission enforcement entirely.

How HarborGuard Handles This

Available on HarborGuard: this CVE is being actively monitored across customer image registries and CI pipelines against the published CVSS 8.8 HIGH rating. Because Kurt Software Studio has not yet released a fix for any affected version of WriteUp Mobile App (1.3.0 through 04062026), HarborGuard re-evaluates the advisory on every ingest cycle. The moment an upstream patch is published, a patched-image rebuild becomes available automatically; for customers with auto-remediation enabled, this triggers a full rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict which internal services can reach WriteUp Mobile App endpoints, egress filtering to limit lateral movement if the app is compromised, and feature-flag gating to disable non-essential application functionality that relies on the affected access control paths. Where compliance policy requires, HarborGuard can also route this finding to a designated security inbox for manual triage.

See how HarborGuard automates this

Affected packages

Kurt Software Studio / WriteUp Mobile App
≤ 04062026

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

siberguvenlik.gov.tr

Metrics

Get notified