CVE-2026-3053

HighPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0013 31.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely.…

The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly addressing the missing authentication enforcement on the OpenAPI endpoint.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Requires unique identification and authentication for non-organizational users, preventing remote attackers from bypassing authentication on the vulnerable endpoint.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly identifies and limits user actions permitted without identification or authentication, ensuring critical OpenAPI functions require authentication.

Security SummaryAI

CVE-2026-3053 is a vulnerability in DataLinkDC dinky versions up to 1.2.5, affecting the addInterceptors function in the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java within the OpenAPI Endpoint component. The flaw enables missing authentication through manipulation, as classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function). It was published on 2026-02-24 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote attackers require no privileges or user interaction and face low attack complexity to exploit the issue over the network. Successful exploitation bypasses authentication on the OpenAPI Endpoint, granting unauthorized access with low impacts on confidentiality, integrity, and availability.

Advisories on VulDB and GitHub (AnalogyC0de/public_exp issues #6 and #3935019636) publicly disclose a working exploit that may be utilized. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available.

Details

CWE(s): CWE-287 CWE-306

Affected Products

dinky

≤ 1.2.5

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of a public-facing OpenAPI endpoint due to missing authentication, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/AnalogyC0de/public_exp/issues/6
Issue Tracking, Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/AnalogyC0de/public_exp/issues/6#issue-3935019636
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347411
Permissions Required, Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347411
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.757589
Third Party Advisory, VDB Entry · cna@vuldb.com