{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31150", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-06T15:02:11.998Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:32:02.551Z"}, "descriptions": [{"lang": "en", "value": "Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://kaleris.com/solutions/yard-management/"}, {"url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:02:08.855352Z", "id": "CVE-2026-31150", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:02:11.998Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31150", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:02:08.855352Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:01:43.688Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://kaleris.com/solutions/yard-management/"}, {"url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150"}], "descriptions": [{"lang": "en", "value": "Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-06T14:32:02.551Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31150", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:02:11.998Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-06T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kaleris:yard_management_solutions:7.2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "4981C1C6-A8B8-44C1-AB1C-132E7EE48677", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources."}], "id": "CVE-2026-31150", "lastModified": "2026-04-10T18:03:10.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-06T15:17:09.430", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://kaleris.com/solutions/yard-management/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.2.2.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "yms", "vendor": "kaleris"}], "analysis": {"en": {"generated_at": "2026-04-06T17:25:05.035883+00:00", "value": {"mitigation_remediation": ["Check for and apply any vendor\u2011released patch targeting the access\u2011control flaw in YMS v7.2.2.1.", "If a patch is unavailable, adjust role\u2011based permissions to restrict the truck dashboard resources to authorized roles only.", "Audit and monitor authentication logs for unusual access patterns to the truck dashboard.", "Consider disabling or limiting shipping/receiving roles from accessing the dashboard until a fix is applied."], "summary": {"action": "Apply Fix", "impact": "Unauthorized view of truck dashboard resources"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kaleris Yard Management System (YMS) version 7.2.2.1. Users assigned the shipping or receiving roles in this product can exploit the flaw to access resources normally restricted to higher\u2011privilege roles.", "description_and_impact": "Incorrect access control in Kaleris YMS version 7.2.2.1 allows authenticated users who possess only the shipping or receiving role to view truck dashboard resources. This vulnerability may lead to unauthorized disclosure of potentially sensitive operational data. The flaw stems from improper implementation of role\u2011based access control, as indicated by CWE\u2011284 and CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 4.3 places the issue in the medium severity range. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered by normal authenticated access, an attacker would need valid credentials with a shipping or receiving role; no elevation or remote code execution is required. Exploitation is straightforward for an insider or compromised account, while external attackers would first need to obtain valid credentials."}}}}, "created": "2026-04-06T20:21:59.019453+00:00", "title": "Authenticated Access to Truck Dashboard Resources via Role-based Access Control Flaw in Kaleris YMS v7.2.2.1", "updated": "2026-04-06T21:47:49.646298+00:00", "vendors": ["kaleris", "kaleris$PRODUCT$yms"]}