HIGH 7.5

CVE-2026-42670: Missing Authorization in Five Star Restaurant Reservations – Data Exposure Risk

CVE-2026-42670 is a missing authorization flaw in Etoile Web Design Incorporated's Five Star Restaurant Reservations system. An attacker can access sensitive data by exploiting improperly configured access controls without needing credentials or user interaction. The vulnerability allows unauthenticated remote access to confidential information, presenting a direct risk to restaurant operations and customer data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from a failure to properly enforce authorization checks (CWE-862) in Five Star Restaurant Reservations. The system does not adequately validate whether a user has permission to access protected resources before granting access. An attacker can send network requests to affected endpoints without authentication (PR:N) and retrieve high-confidence information (C:H). The attack is simple to execute (AC:L) and requires no user interaction. All versions through 2.7.14 are affected.

Business impact

For restaurants relying on Five Star Restaurant Reservations, this vulnerability exposes customer reservation data, contact information, and potentially payment details to unauthorized access. This creates compliance exposure under data protection regulations, erodes customer trust, and may trigger breach notification obligations. Competitive disadvantage and reputational harm are likely if exploited at scale.

Affected systems

Five Star Restaurant Reservations by Etoile Web Design Incorporated versions 2.7.14 and earlier are vulnerable. Organizations using this reservation management platform should immediately audit their deployment and check their current version.

Exploitability

This vulnerability is readily exploitable. No authentication or privileges are required, and the attack can be conducted over the network with minimal complexity. An attacker with basic reconnaissance skills can identify and access unprotected endpoints. However, the vulnerability has not yet been added to the CISA KEV catalog, meaning active exploitation in the wild has not been broadly confirmed; this does not reduce its severity.

Remediation

Upgrade Five Star Restaurant Reservations to a patched version released by Etoile Web Design Incorporated. Verify the vendor advisory for the specific build that remediates CWE-862 authorization issues. As an interim measure, implement network-level access controls and Web Application Firewall (WAF) rules to restrict unauthenticated access to reservation endpoints. Review and restrict API access permissions.

Patch guidance

Contact Etoile Web Design Incorporated or consult their security advisory to identify the minimum version that resolves this authorization vulnerability. Test patches in a staging environment before production deployment to ensure compatibility with your restaurant operations. Prioritize this as a critical update given the ease of exploitation and sensitivity of reservation data.

Detection guidance

Monitor logs for unauthenticated requests to reservation endpoints and unusual data access patterns. Look for API calls from sources without valid session tokens or authorization headers. Deploy network monitoring to detect reconnaissance attempts targeting reservation system endpoints. Consider implementing behavioral analytics to identify suspicious bulk data retrieval.

Why prioritize this

A CVSS 7.5 HIGH severity vulnerability with zero authentication barriers and direct confidentiality impact warrants immediate attention. The combination of network-exploitability, zero user interaction, and data sensitivity makes this a priority for remediation before widespread awareness. Although not yet in the KEV catalog, the attack surface is significant.

Risk score, explained

The 7.5 CVSS 3.1 score reflects a high-severity flaw: remote, unauthenticated access (AV:N, PR:N, UI:N) with no complexity barrier (AC:L) yields direct confidentiality impact (C:H) but no integrity or availability compromise. This is a classic data-exposure vulnerability that rewards quick remediation.

Frequently asked questions

Do I need to be authenticated to exploit this vulnerability?

No. The vulnerability allows unauthenticated attackers to access protected data, meaning no valid credentials or login session are required to mount an attack.

What data is at risk?

Reservation details, customer contact information, and any associated booking metadata are exposed. Depending on the system configuration, payment or identity data may also be accessible.

Is this vulnerability actively being exploited?

As of the current publication date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning widespread active exploitation has not been formally documented. However, organizations should assume that public awareness will drive exploit attempts.

What if I cannot patch immediately?

Implement network segmentation to limit access to the reservation system, use a WAF to enforce authentication requirements at the perimeter, and monitor access logs closely for unauthorized data retrieval attempts.

This analysis is based on vulnerability data published as of June 2026. Patch version numbers and KEV status are subject to change; verify current information with Etoile Web Design Incorporated's official security advisories and CISA before implementing remediation. SEC.co does not provide exploit code or weaponized proof-of-concept instructions. Organizations should conduct independent risk assessments for their specific deployments and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).