CVE-2026-10288: Hotel Reservation System Admin Authentication Bypass
A flaw in the Hotel and Tourism Reservation System version 1.0 allows attackers to bypass admin authentication. The vulnerability exists in the admin login page where the password verification function can be manipulated, enabling unauthorized access to the administrative interface without valid credentials. An attacker can exploit this remotely over the network, and proof-of-concept code has already been published publicly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-287
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10288 is an improper authentication vulnerability (CWE-287) affecting the password_verify function within /admin/login.php. The vulnerability stems from inadequate password validation logic in the Admin Login component. By manipulating the Password argument, an attacker can circumvent authentication checks. The attack vector is network-based, requires no privileges, no user interaction, and operates in the user security scope. The CVSS v3.1 score of 7.3 (HIGH) reflects low complexity and direct remote exploitability across confidentiality, integrity, and availability impacts.
Business impact
Compromise of the admin login exposes the entire reservation system to unauthorized control. An attacker gaining admin access can view, modify, or delete guest bookings; alter pricing and availability; exfiltrate customer data including payment information and personal details; inject malicious content; and disable critical business functions. For a hotel or tourism operator, this creates immediate operational disruption, regulatory compliance violations (PCI-DSS, GDPR), reputational damage, and potential financial loss through fraud or ransom demands.
Affected systems
code-projects Hotel and Tourism Reservation System version 1.0 is confirmed vulnerable. Organizations running this specific version with internet-exposed admin interfaces are at direct risk. Determine if your deployment is version 1.0 and whether the /admin/login.php endpoint is accessible from untrusted networks. Verify whether the system is actively used to process real guest reservations and payments.
Exploitability
Exploitability is high. The vulnerability requires only network access and no authentication prerequisites, meaning any remote actor can attempt exploitation. The CVSS metric AC:L (Low Attack Complexity) confirms the attack is straightforward. Public disclosure of proof-of-concept code significantly increases real-world exploitation likelihood. Expect automated scanning and opportunistic exploitation attempts against exposed instances within days of public disclosure.
Remediation
Immediate action is required. First, identify all instances of Hotel and Tourism Reservation System 1.0 in your environment, especially internet-facing deployments. Contact code-projects for an updated patch or security advisory addressing the password_verify function. As an interim measure, restrict network access to /admin/login.php using firewall rules, WAF policies, or network segmentation—allow admin login only from trusted administrative networks. Consider implementing mandatory multi-factor authentication at the application layer if the vendor provides that capability. If no patch is available within 48 hours, evaluate system retirement or replacement.
Patch guidance
Check the code-projects official security advisory and product repository for available patches beyond version 1.0. Apply any released patch immediately following standard change control procedures, including testing in a non-production environment first. If patching is delayed, compensate with network-level access controls. Verify the patch by confirming the password_verify function now properly validates credentials and that admin login from a test account correctly rejects invalid passwords. Document patch application and test results for compliance records.
Detection guidance
Monitor authentication logs in /admin/login.php for unusual patterns: multiple rapid login attempts from different IP addresses, successful logins from unexpected geographic locations or at unusual hours, and successful admin logins immediately following failed attempts (indicating bypass). Deploy network-based intrusion detection rules looking for POST requests to /admin/login.php with suspicious payloads or abnormal parameter encoding. Log all admin access and cross-reference against legitimate administrative staff schedules. Alert on any admin password changes initiated outside normal administrative windows. If WAF is deployed, create rules to detect and block known exploitation patterns as they emerge in public disclosures.
Why prioritize this
This vulnerability merits immediate remediation due to the combination of high CVSS severity (7.3), complete authentication bypass enabling full admin compromise, proven remote exploitability with no prerequisites, publicly available proof-of-concept code, and direct exposure of sensitive customer and operational data. The low attack complexity means exploitation requires minimal skill. For any organization running this system in production, this represents a critical business continuity and data protection risk requiring emergency response protocols.
Risk score, explained
The CVSS v3.1 score of 7.3 reflects: Network attack vector (AV:N) allowing remote exploitation; Low attack complexity (AC:L) requiring no special conditions; No required privileges (PR:N) or user interaction (UI:N); User scope unchanged (S:U); and impact across all three CIA triad dimensions—confidentiality loss (access to guest data), integrity loss (modification of bookings and system data), and availability loss (potential service disruption). The HIGH severity is appropriate given the direct path to administrative control and the sensitivity of hospitality reservation data.
Frequently asked questions
Is version 1.0 actively maintained by code-projects?
Verify the current maintenance status by reviewing the vendor's official product roadmap and security policy. If version 1.0 is end-of-life, prioritize immediate upgrade or replacement rather than relying on patches. Contact code-projects directly for clarity on support timelines.
Can this vulnerability be exploited if the admin login page is not internet-facing?
Network accessibility is the critical factor. If /admin/login.php is restricted to internal networks only via firewall rules and VPN requirements, the risk is substantially lower but not eliminated. Insider threats remain. Apply least-privilege access controls regardless of network position.
What customer data is at risk if the admin login is compromised?
Typical hotel systems store guest names, email addresses, phone numbers, credit card details (if stored), reservation dates, room preferences, and interaction history. In scope of regulatory risk: PCI-DSS applies to payment data; GDPR applies to EU resident data. Data breach notification obligations trigger immediately upon confirmation of compromise.
If we cannot patch immediately, what is the minimum safe configuration?
Restrict /admin/login.php to an allowlist of trusted IP addresses via firewall or WAF rules; disable internet access entirely and require VPN for admin functions; implement mandatory multi-factor authentication if available; rotate all admin credentials; and enable comprehensive logging of all admin activities for incident detection.
This analysis is based on publicly disclosed information as of the publication date. Vendor product and patch availability details should be verified directly with code-projects before implementation decisions. CVSS scores and severity ratings are provided for contextualization; they are not substitutes for risk assessment within your specific operational environment. Organizations are responsible for conducting their own vulnerability assessment, impact analysis, and remediation planning aligned with their business continuity and compliance requirements. No exploit code or detailed attack methods are provided in this analysis. Security teams should consult official vendor advisories and maintain awareness of emerging attacker techniques through threat intelligence feeds. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-10619HIGHsayan365 Student-Management-System Remote Authentication Bypass
- CVE-2026-10777HIGHealpha072 Student-Management-System Authentication Bypass in Admin Backend
- CVE-2026-40964HIGHCloud Foundry Authentication Bypass Exposes All Logs and Metrics