{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4171", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-14T12:57:22.419Z", "datePublished": "2026-03-15T08:02:07.894Z", "dateUpdated": "2026-03-16T15:40:39.639Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-15T08:02:07.894Z"}, "title": "CodeGenieApp serverless-express API Endpoint TodoList.ts authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "Authorization Bypass"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}], "affected": [{"vendor": "CodeGenieApp", "product": "serverless-express", "versions": [{"version": "4.17.0", "status": "affected"}, {"version": "4.17.1", "status": "affected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-14T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-14T14:02:27.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ana10gy (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.351078", "name": "VDB-351078 | CodeGenieApp serverless-express API Endpoint TodoList.ts authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351078", "name": "VDB-351078 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769769", "name": "Submit #769769 | CodeGenieApp serverless-express <=4.17.1 Broken Object Level Authorization", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.769771", "name": "Submit #769771 | CodeGenieApp @codegenie/serverless-express <=4.17.1 Broken Object Level Authorization (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/20", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:40:31.627453Z", "id": "CVE-2026-4171", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:40:39.639Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4171", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T15:40:31.627453Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:40:35.382Z"}}], "cna": {"title": "CodeGenieApp serverless-express API Endpoint TodoList.ts authorization", "credits": [{"lang": "en", "type": "reporter", "value": "Ana10gy (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "CodeGenieApp", "modules": ["API Endpoint"], "product": "serverless-express", "versions": [{"status": "affected", "version": "4.17.0"}, {"status": "affected", "version": "4.17.1"}]}], "timeline": [{"lang": "en", "time": "2026-03-14T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-14T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-14T14:02:27.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351078", "name": "VDB-351078 | CodeGenieApp serverless-express API Endpoint TodoList.ts authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351078", "name": "VDB-351078 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769769", "name": "Submit #769769 | CodeGenieApp serverless-express <=4.17.1 Broken Object Level Authorization", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.769771", "name": "Submit #769771 | CodeGenieApp @codegenie/serverless-express <=4.17.1 Broken Object Level Authorization (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/AnalogyC0de/public_exp/issues/20", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-15T08:02:07.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4171", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:40:39.639Z", "dateReserved": "2026-03-14T12:57:22.419Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-15T08:02:07.894Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en CodeGenieApp serverless-express hasta la versi\u00f3n 4.17.1. Afectada por este problema est\u00e1 alguna funcionalidad desconocida del archivo examples/lambda-function-url/packages/api/models/TodoList.ts del componente API Endpoint. La manipulaci\u00f3n del argumento userId conduce a una omisi\u00f3n de autorizaci\u00f3n. El ataque es posible de ser llevado a cabo de forma remota. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. El proveedor fue contactado con antelaci\u00f3n sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."}], "id": "CVE-2026-4171", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:57.123", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/AnalogyC0de/public_exp/issues/20"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351078"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351078"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.769769"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.769771"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.17.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.17.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "serverless-express", "source": "cna", "vendor": "CodeGenieApp"}, "product": "serverless-express", "vendor": "codegenieapp"}], "analysis": {"en": {"generated_at": "2026-03-21T14:39:54.243043+00:00", "value": {"mitigation_remediation": ["Apply the latest CodeGenieApp serverless\u2011express patch or upgrade to a version newer than 4.17.1. This should fix the improper authorization check in the TodoList module."], "summary": {"action": "Immediate Patch", "impact": "Authorization Bypass allowing remote actors to act as other users"}, "threat_synthesis": {"affected_systems": "This flaw affects CodeGenieApp\u2019s serverless\u2011express component in all releases up to and including version 4.17.1. The affected functionality is located in examples/lambda\u2011function\u2011url/packages/api/models/TodoList.ts. No other versions or products have been identified as affected in the CNA data.", "description_and_impact": "The vulnerability resides in the TodoList.ts model of the CodeGenieApp serverless\u2011express API endpoint. Manipulating the userId parameter causes the system to ignore proper authorization checks, allowing an attacker to impersonate any user. This flaw can lead to the disclosure or modification of sensitive data and potentially to unauthorized execution of privileged actions within the application. The weakness corresponds to CWE\u2011285 (Authorization) and CWE\u2011639 (Authorization Bypass Through User\u2011Controlled Search).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. The EPSS score is reported as less than 1%, suggesting low but non-zero exploit probability. It is not currently listed in the CISA KEV catalog. The description states that the attack can be carried out remotely, though the precise vector (e.g., HTTP request to the API endpoint) is inferred and not explicitly detailed. Exploitation requires an authenticated or unauthenticated request to the affected endpoint with a manipulated userId parameter, which the software fails to validate, resulting in an authorization bypass."}}}}, "created": "2026-03-16T09:22:00.821872+00:00", "updated": "2026-03-23T14:01:57.845901+00:00", "vendors": ["codegenieapp", "codegenieapp$PRODUCT$serverless-express"]}