What the vulnerability does
01Description
Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.2.
Explanation of Vulnerability in Simple Terms
02Summary
Travelpayouts versions up to 1.2.2 lack proper authorization checks, allowing authenticated users with low privileges to perform actions they should not be able to access. The vulnerability requires user interaction and can affect confidentiality, integrity, and availability across the application scope. Site administrators should update to a version newer than 1.2.2.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions affecting data confidentiality, integrity, and availability within the application.
Potential impact on your site
04Site Impact
Authenticated users with low privileges can bypass access controls and modify or view data they should not access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account and trick a user into clicking a malicious link or visiting a crafted page.
Key dates
06Disclosure timeline
February 20, 2026
CVE published
April 28, 2026
Record updated