CVE-2026-3020 PUBLISHED

Identity based authorization bypass vulnerability (IDOR) in the Wakyma application web

Assigner: INCIBE
Reserved: 23.02.2026 Published: 16.03.2026 Updated: 16.03.2026

Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other users' legitimate accounts

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Wakyma
Product	Wakyma application web
Versions	Default: unaffected Version all versions is affected

Solutions

Wakyma has fixed the vulnerability in the continuous integration deployed in production since February 19, 2026.

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wakyma-application-web

Problem Types

CWE-639 Authorization bypass through User-Controlled key CWE