MEDIUM 5.3

CVE-2026-10597: OMICARD EDM Unauthenticated Email Disclosure Vulnerability

OMICARD EDM, a product developed by ITPison, contains a vulnerability that allows attackers without credentials to access user email addresses by manipulating a specific parameter in a web request. No authentication is required, making this a direct and accessible attack surface. While the vulnerability does not allow attackers to modify data or disrupt service, the unauthorized disclosure of email addresses poses a clear privacy and information-gathering risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10597 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639. The flaw permits unauthenticated, remote attackers to enumerate or extract user email addresses by modifying request parameters. The attack vector is network-based with low complexity and requires no user interaction. The CVSS 3.1 score of 5.3 (MEDIUM) reflects confidentiality impact—specifically the disclosure of sensitive email data—without integrity or availability compromise.

Business impact

Exposure of user email addresses undermines customer privacy, creates reputational risk, and provides attackers with a foothold for social engineering, phishing campaigns, or targeted follow-on attacks. Organizations running OMICARD EDM should assume their user roster has been or could be enumerated. This is particularly concerning for financial, healthcare, or government deployments where email harvesting feeds downstream compromise chains.

Affected systems

OMICARD EDM by ITPison is the affected product. Organizations operating this application should immediately audit their instances. The vendor product list provided does not specify version ranges; consult ITPison's advisory or security bulletins to determine which versions are impacted and which patches or mitigations are available.

Exploitability

This vulnerability is highly exploitable. No authentication, no special privileges, and no user interaction are required. An attacker can craft simple HTTP requests with modified parameters from anywhere on the internet to harvest email addresses at scale. The low complexity and direct network accessibility mean opportunistic attackers can weaponize this quickly. As of the current date, this is not listed on CISA's Known Exploited Vulnerabilities catalog, but the ease of exploitation suggests active discovery and testing is likely underway.

Remediation

Organizations must obtain and apply patches from ITPison as soon as they become available. Pending patch deployment, implement network-level access controls to restrict OMICARD EDM endpoints to trusted networks only, and monitor for unusual parameter manipulation or bulk requests that suggest email enumeration attempts. Verify the patch version and deployment steps directly with ITPison's security advisory to ensure complete remediation.

Patch guidance

Contact ITPison directly or monitor their security advisories for patch availability and version numbers. Test patches in a non-production environment first. Given the public disclosure date of 2026-06-04, patches should be prioritized for immediate rollout. Confirm that deployed patches close the IDOR flaw and that no residual parameter-manipulation vectors remain accessible.

Detection guidance

Monitor access logs for abnormal parameter variations in requests to OMICARD EDM endpoints, particularly patterns suggesting systematic enumeration. Watch for repeated requests with incrementing or varied object identifiers, unusual query parameter values, or large volumes of failed/redirected requests. Log and alert on unauthenticated access to user data endpoints. Implement WAF rules to detect and block suspicious parameter manipulation if feasible.

Why prioritize this

Although the CVSS score is MEDIUM (5.3), the vulnerability warrants prompt attention because it is trivially exploitable and results in privacy-relevant data disclosure. Email addresses are often the first step in broader social engineering and phishing attacks. The lack of authentication and user interaction means no warning signs precede an attack. Organizations should patch within 2–4 weeks of vendor release.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-accessible vulnerability with low attack complexity and no authentication requirement, yielding a MEDIUM severity rating. Confidentiality is impacted (users' email addresses are disclosed), but integrity and availability are not compromised. In business context, however, email harvesting often serves as reconnaissance for higher-severity follow-on attacks, so the true organizational risk may exceed the base CVSS rating.

Frequently asked questions

Can attackers modify user data or delete records with this vulnerability?

No. CVE-2026-10597 is a confidentiality issue only. Attackers can read and extract email addresses but cannot alter user accounts, passwords, or stored information. The vulnerability does not provide write or delete permissions.

Do I need valid credentials to exploit this flaw?

No. The vulnerability is unauthenticated. Any remote attacker without login credentials can exploit it simply by crafting requests with modified parameters. No social engineering or credential theft is necessary.

Is there a public exploit or proof-of-concept available?

As of the advisory date, there is no indication that a weaponized exploit or PoC has been released. However, the low complexity means security researchers and threat actors can quickly develop one. Patch application should not be delayed.

What should I do if I suspect my OMICARD EDM instance has been exploited?

Contact ITPison for guidance on forensic analysis. Review access logs for suspicious parameter-manipulation patterns. Consider assuming email lists have been compromised and notify affected users if your privacy policy and local regulations require it. Apply patches immediately and strengthen access controls.

This analysis is based on publicly disclosed information and CVSS base scores as of the publication date. Vendor-specific patch versions, configuration details, and version-range information must be verified directly from ITPison's official security advisory. No exploit code or weaponized proof-of-concept is provided. Organizations should consult with their security teams and vendor support before deploying patches or making access-control changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).