CVE-2026-5230: Improper Access Control in Mia Technologies' Pizzy Library
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 1.3.9.26250
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An improper access control vulnerability in MIA Technology Inc.'s Pizzy Library allows a network-accessible attacker to bypass authorization checks and access restricted resources. The flaw is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives the attacker read access to sensitive data and limited ability to modify application state. A patched-image rebuild at version 1.3.9.26250 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-5230 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Pizzy Library versions from 1.0.0.26250 through before 1.3.9.26250.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.1 (High) and weighting it against each customer org's compliance policy to determine breach-of-policy status; findings are then routed to the appropriate team inbox within that org based on configured ownership rules.
AvailableA patched-image rebuild at Pizzy Library version 1.3.9.26250 becomes available in HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send crafted requests from a remote host without requiring physical or local access.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials to trigger the access control bypass.
- Victim interactionNot required
No user action is needed; the attacker can exploit the flaw entirely without involving another person.
- Attack complexityDetail
Exploit complexity is low, meaning no special timing, race conditions, or environmental prerequisites are needed for the attack to succeed reliably.
Blast Radius
- A successful attacker reads sensitive application data that should be restricted to higher-privilege users, such as configuration details, user records, or internal API responses.
- The attacker can make low-impact writes or modifications within the application, limited by the scope of the misconfigured access control rules.
- No availability impact is introduced by this vulnerability; the service continues running during and after exploitation.
How HarborGuard Handles This
Available on HarborGuard: detection of CVE-2026-5230 is matched against customer images within minutes of publication. For environments running a Pizzy Library version from 1.0.0.26250 through before 1.3.9.26250, a rebuild at the fixed version 1.3.9.26250 is available. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image, executes the configured regression tests, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with CVSS scoring and policy-weighted priority so the responsible team can act on it directly.
Fix available
- MIA Technology Inc. / Pizzy Library< 1.3.9.26250 (from 1.0.0.26250)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N