Auth bypass in D-link D-view 8

CVE-2026-23754

D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other u…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (17.0th percentile) — read the EPSS interpretation.

Affected products

D-link D-view 8 — versions 0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

supportannouncement.us.dlink.com/security/publication.aspx (vendor-advisory, patch)
www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-an… (third-party-advisory)