HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54415Published Modified CNA TuranSec

CVE-2026-54415: Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
1.2.11
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken access control in Azuriom CMS (versions before 1.2.11) allows an authenticated attacker who holds the admin.access permission to exceed their intended privileges via crafted HTTP requests to server management and AzLink API routes. The vulnerability is reachable over the network with no additional prerequisites beyond a low-privilege account carrying that permission, requiring no victim interaction. Successful exploitation lets the attacker create AzLink server tokens and take over arbitrary non-admin user accounts by overwriting their passwords and email addresses. A patched-image rebuild at version 1.2.11 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Azuriom CMS. Any image carrying a version of Azuriom CMS older than 1.2.11 is flagged immediately on match.

Available
Triage

HarborGuard scores this finding at CVSS 8.6 (HIGH) using the published v4.0 vector and applies per-environment compliance policy weighting to prioritize it within each customer org's queue. Findings are routed to the appropriate team inbox based on the owning workload, so the right engineers receive the alert without manual triage overhead.

Available
Patch

A patched-image rebuild at Azuriom CMS 1.2.11 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Azuriom CMS application over the network to send crafted HTTP requests to the affected admin and AzLink API routes.

  • AuthenticationRequired

    A valid account holding the admin.access permission is needed; any low-privilege account with that permission is sufficient, and no administrator-level account is required.

  • Victim interactionNot required

    No victim action is needed; the attacker sends crafted requests directly to the server without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no race conditions or special environmental conditions on the attacker.

Blast Radius

  • The attacker reads account details for any non-admin user by querying AzLink API endpoints, exposing stored email addresses and associated profile data.
  • The attacker overwrites the password and email address of targeted non-admin accounts, seizing full control of those accounts.
  • The attacker creates AzLink server tokens, gaining persistent API-level access to linked game servers managed through the CMS.
  • Integrity of the user database is compromised across all non-admin accounts the attacker chooses to target.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54415 is active across all customer environments, matching images that include Azuriom CMS versions before 1.2.11 as soon as those images appear in a registry or CI pipeline scan. A patched-image rebuild at version 1.2.11 is available the moment an affected image is identified. For customers with auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is queued with full CVSS context and routing metadata so the responsible team can act without delay.

See how HarborGuard automates this

Fix available

1.2.11
Patch commits
Affected packages
  • Azuriom / Azuriom CMS
    < 1.2.11 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References