CVE-2026-54415
HighCVSS 8.1Summary
Missing authorization in the server management routes in Azuriom CMS before version 1.2.11 allows an authenticated attacker with admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses.
Risk Assessment
An attacker can gain full control over user accounts, leading to serious security breaches and data loss within the organization.
Recommendation
It is recommended to update Azuriom CMS to version 1.2.11 or later to mitigate this vulnerability and review user permissions in the system.
Original NVD description (English source)
Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}).

