{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4549", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-21T16:49:05.353Z", "datePublished": "2026-03-22T13:47:25.406Z", "dateUpdated": "2026-03-25T13:45:28.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T13:47:25.406Z"}, "title": "mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "Authorization Bypass"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}], "affected": [{"vendor": "mickasmt", "product": "next-saas-stripe-starter", "versions": [{"version": "1.0.0", "status": "affected"}], "modules": ["Stripe API"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-21T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-21T17:54:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Ghufran Khan (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.352376", "name": "VDB-352376 | mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352376", "name": "VDB-352376 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774806", "name": "Submit #774806 | mickasmt next-saas-stripe-starter 1.0.0 Authorization Bypass", "tags": ["third-party-advisory"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:45:13.098812Z", "id": "CVE-2026-4549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:45:28.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:45:13.098812Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:45:20.980Z"}}], "cna": {"title": "mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization", "credits": [{"lang": "en", "type": "reporter", "value": "Ghufran Khan (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.1, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "mickasmt", "modules": ["Stripe API"], "product": "next-saas-stripe-starter", "versions": [{"status": "affected", "version": "1.0.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-21T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-21T17:54:14.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352376", "name": "VDB-352376 | mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352376", "name": "VDB-352376 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774806", "name": "Submit #774806 | mickasmt next-saas-stripe-starter 1.0.0 Authorization Bypass", "tags": ["third-party-advisory"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T13:47:25.406Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4549", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:45:28.122Z", "dateReserved": "2026-03-21T16:49:05.353Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-22T13:47:25.406Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation is known to be difficult."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en mickasmt next-saas-stripe-starter 1.0.0. Afectada por este problema es la funci\u00f3n openCustomerPortal del archivo actions/open-customer-portal.ts del componente Stripe API. Esta manipulaci\u00f3n causa omisi\u00f3n de autorizaci\u00f3n. La explotaci\u00f3n remota del ataque es posible. La complejidad de un ataque es bastante alta. Se sabe que la explotaci\u00f3n es dif\u00edcil."}], "id": "CVE-2026-4549", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-22T14:16:35.040", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.352376"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.352376"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.774806"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "next-saas-stripe-starter", "source": "cna", "vendor": "mickasmt"}, "product": "next-saas-stripe-starter", "vendor": "mickasmt"}], "analysis": {"en": {"generated_at": "2026-03-22T16:51:01.960969+00:00", "value": {"mitigation_remediation": ["Upgrade mickasmt next\u2011saas\u2011stripe\u2011starter to a patched version as soon as it becomes available.", "If a patch is not yet released, block or restrict access to the Open Customer Portal endpoint until remediation is complete.", "Enable logging and monitoring for all access attempts to the openCustomerPortal function to detect anomalous activity.", "Review and enforce role\u2011based access controls to ensure only authorized users can invoke the function."], "summary": {"action": "Apply Patch", "impact": "Authorization bypass via remote exploitation"}, "threat_synthesis": {"affected_systems": "Affected is the mickasmt next\u2011saas\u2011stripe\u2011starter application, version 1.0.0, which includes the file actions/open\u2011customer\u2011portal.ts in the Stripe API component. No other products or versions are listed as vulnerable.", "description_and_impact": "The flaw in the openCustomerPortal function of the Stripe API component within mickasmt next\u2011saas\u2011stripe\u2011starter 1.0.0 allows an attacker to bypass authorization checks and gain unauthorized access to the customer portal. This violation of access control could lead to viewing or modifying sensitive customer data, compromising confidentiality and integrity. The weakness is classified as an authorization bypass (CWE\u2011285) and privilege escalation (CWE\u2011639).", "risk_and_exploitability": "The base score of 2.3 signals a low overall severity, and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires high complexity and is known to be difficult, reducing the likelihood of an attack. Nevertheless, because remote exploitation is possible, an adversary who succeeds could obtain unauthorized access to customer information, posing a serious confidentiality and integrity risk."}}}}, "created": "2026-03-23T09:46:01.805130+00:00", "updated": "2026-03-25T14:50:38.231110+00:00", "vendors": ["mickasmt", "mickasmt$PRODUCT$next-saas-stripe-starter"]}