CVE-2026-4320 PUBLISHED

Authorization Bypass in ICMS Content Management by Creartia Internet Consulting

Assigner: INCIBE
Reserved: 17.03.2026 Published: 18.05.2026 Updated: 18.05.2026

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Creartia Internet Consulting
Product	ICMS Content Management
Versions	Default: unaffected affected from 0 to * (excl.)

Solutions

The vulnerability has been fixed by Creartia Internet Consulting S.L. team. It is recommended to update to the last version.

Credits

Pirolita finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-icms-content-management-creartia-internet-consulting

Problem Types

CWE-288 Authentication bypass using an alternate path or channel CWE