Auth bypass in Soplanning

CVE-2026-40543

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as wel…

Vulnerability class: Broken Access Control

EPSS: 0.001 (20.8th percentile) — read the EPSS interpretation.

Affected products

Soplanning — versions 0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

cvd@cert.pl (third-party-advisory)
cvd@cert.pl (product)