CVE-2026-42670: Missing Authorization in Five Star Restaurant Reservations – Data Exposure Risk
CVE-2026-42670 is a missing authorization flaw in Etoile Web Design Incorporated's Five Star Restaurant Reservations system. An attacker can access sensitive data by exploiting improperly configured access controls without needing credentials or user interaction. The vulnerability allows unauthenticated remote access to confidential information, presenting a direct risk to restaurant operations and customer data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability stems from a failure to properly enforce authorization checks (CWE-862) in Five Star Restaurant Reservations. The system does not adequately validate whether a user has permission to access protected resources before granting access. An attacker can send network requests to affected endpoints without authentication (PR:N) and retrieve high-confidence information (C:H). The attack is simple to execute (AC:L) and requires no user interaction. All versions through 2.7.14 are affected.
Business impact
For restaurants relying on Five Star Restaurant Reservations, this vulnerability exposes customer reservation data, contact information, and potentially payment details to unauthorized access. This creates compliance exposure under data protection regulations, erodes customer trust, and may trigger breach notification obligations. Competitive disadvantage and reputational harm are likely if exploited at scale.
Affected systems
Five Star Restaurant Reservations by Etoile Web Design Incorporated versions 2.7.14 and earlier are vulnerable. Organizations using this reservation management platform should immediately audit their deployment and check their current version.
Exploitability
This vulnerability is readily exploitable. No authentication or privileges are required, and the attack can be conducted over the network with minimal complexity. An attacker with basic reconnaissance skills can identify and access unprotected endpoints. However, the vulnerability has not yet been added to the CISA KEV catalog, meaning active exploitation in the wild has not been broadly confirmed; this does not reduce its severity.
Remediation
Upgrade Five Star Restaurant Reservations to a patched version released by Etoile Web Design Incorporated. Verify the vendor advisory for the specific build that remediates CWE-862 authorization issues. As an interim measure, implement network-level access controls and Web Application Firewall (WAF) rules to restrict unauthenticated access to reservation endpoints. Review and restrict API access permissions.
Patch guidance
Contact Etoile Web Design Incorporated or consult their security advisory to identify the minimum version that resolves this authorization vulnerability. Test patches in a staging environment before production deployment to ensure compatibility with your restaurant operations. Prioritize this as a critical update given the ease of exploitation and sensitivity of reservation data.
Detection guidance
Monitor logs for unauthenticated requests to reservation endpoints and unusual data access patterns. Look for API calls from sources without valid session tokens or authorization headers. Deploy network monitoring to detect reconnaissance attempts targeting reservation system endpoints. Consider implementing behavioral analytics to identify suspicious bulk data retrieval.
Why prioritize this
A CVSS 7.5 HIGH severity vulnerability with zero authentication barriers and direct confidentiality impact warrants immediate attention. The combination of network-exploitability, zero user interaction, and data sensitivity makes this a priority for remediation before widespread awareness. Although not yet in the KEV catalog, the attack surface is significant.
Risk score, explained
The 7.5 CVSS 3.1 score reflects a high-severity flaw: remote, unauthenticated access (AV:N, PR:N, UI:N) with no complexity barrier (AC:L) yields direct confidentiality impact (C:H) but no integrity or availability compromise. This is a classic data-exposure vulnerability that rewards quick remediation.
Frequently asked questions
Do I need to be authenticated to exploit this vulnerability?
No. The vulnerability allows unauthenticated attackers to access protected data, meaning no valid credentials or login session are required to mount an attack.
What data is at risk?
Reservation details, customer contact information, and any associated booking metadata are exposed. Depending on the system configuration, payment or identity data may also be accessible.
Is this vulnerability actively being exploited?
As of the current publication date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning widespread active exploitation has not been formally documented. However, organizations should assume that public awareness will drive exploit attempts.
What if I cannot patch immediately?
Implement network segmentation to limit access to the reservation system, use a WAF to enforce authentication requirements at the perimeter, and monitor access logs closely for unauthorized data retrieval attempts.
This analysis is based on vulnerability data published as of June 2026. Patch version numbers and KEV status are subject to change; verify current information with Etoile Web Design Incorporated's official security advisories and CISA before implementing remediation. SEC.co does not provide exploit code or weaponized proof-of-concept instructions. Organizations should conduct independent risk assessments for their specific deployments and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation
- CVE-2026-32905HIGHOpenClaw Device-Pair Authorization Bypass (CVSS 8.3)
- CVE-2026-35630HIGHOpenClaw Authorization Bypass in QQBot Approval Buttons
- CVE-2026-42669HIGHEventPrime Missing Authorization Vulnerability (CVSS 7.5)