CVE-2026-31271

CVE-2026-31271 is an authorization bypass vulnerability affecting megagao production_ssm version 1.0. The flaw resides in the user addition functionality, specifically the insert() method within UserController.java, which lacks proper authentication checks. This allows attackers to interact with the vulnerable component without verifying user privileges, as documented under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability by directly accessing the /user/insert endpoint. By sending crafted requests to this endpoint, they can create super administrator accounts, granting full control over the system. Successful exploitation leads to complete system compromise, enabling arbitrary administrative actions such as data manipulation, privilege escalation, or further persistence.

The advisory detailing this issue is available at https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md, which documents the unauthorized access mechanism but does not specify patches or mitigations in the provided references. Security practitioners should review the source code for affected deployments and implement access controls on the /user/insert endpoint, such as requiring authentication tokens or IP whitelisting, pending official vendor guidance.