MEDIUM 6.5

CVE-2026-42671: Paolo GeoDirectory Missing Authorization Vulnerability (CVSS 6.5)

Paolo GeoDirectory versions up to 2.8.157 contain a missing authorization flaw that allows attackers to bypass access controls. Without needing credentials or user interaction, an attacker on the network can exploit misconfigured security levels to gain unauthorized access to sensitive operations, potentially modifying data or causing service disruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42671 is a CWE-862 (Missing Authorization) vulnerability in Paolo GeoDirectory. The flaw stems from incorrectly configured access control security levels that fail to properly enforce authorization checks. The vulnerability is network-accessible, requires no authentication, and has low attack complexity, making it straightforward to exploit. It impacts data integrity and availability but not confidentiality. All versions through 2.8.157 are affected.

Business impact

Unauthorized access to GeoDirectory functionality could allow attackers to modify directory entries, corrupt location data, or disrupt service availability for end users relying on the directory. For organizations using GeoDirectory in production, this could result in data integrity issues, customer-facing outages, and potential liability if customer information is altered without authorization.

Affected systems

Paolo GeoDirectory versions from the earliest through 2.8.157 are vulnerable. Organizations should verify their exact GeoDirectory installation version immediately. No information on fixed versions is currently available; consult the Paolo project or vendor advisory for patched releases.

Exploitability

This vulnerability is moderately exploitable. It requires network access but no authentication, credentials, or user interaction. An attacker can trigger the flaw directly from the network, making reconnaissance and exploitation relatively straightforward once the vulnerable version is identified. The low attack complexity suggests no special tools or advanced techniques are needed.

Remediation

Upgrade Paolo GeoDirectory to the latest available version released after 2.8.157. Verify against the official Paolo project repository or vendor advisory for confirmed patched versions. Until patching is possible, implement network segmentation to restrict unauthenticated access to GeoDirectory services, and review access control configurations for any obviously misconfigured security levels.

Patch guidance

Check the Paolo GeoDirectory project release notes and advisories for versions newer than 2.8.157. Apply the latest stable release that addresses CVE-2026-42671. Test the upgrade in a non-production environment first to ensure compatibility with your deployment. Monitor vendor communications for any additional guidance on this vulnerability.

Detection guidance

Monitor access logs for unauthenticated requests to GeoDirectory endpoints that should require authorization. Look for unusual modification activity on directory entries from unexpected sources or IPs. Consider deploying a WAF rule to restrict unauthenticated access to sensitive GeoDirectory functions. Network IDS/IPS signatures may become available as the vulnerability is more widely disclosed.

Why prioritize this

This vulnerability warrants prompt but not emergency action. It is network-accessible and requires no authentication, lowering the barrier to exploitation. However, the CVSS score of 6.5 (Medium) reflects limited scope—only integrity and availability are affected, not confidentiality. Organizations running GeoDirectory should prioritize this within a standard patching cycle, especially if the service is internet-facing or handles sensitive location data.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects a network-exploitable flaw (AV:N) with low attack complexity (AC:L) and no authentication requirement (PR:N), but limited impact. Integrity and availability are compromised (I:L, A:L), while confidentiality remains unaffected (C:N). The Scope Unchanged (S:U) designation means the vulnerability does not cross privilege boundaries. This places it firmly in Medium severity—notable but not critical.

Frequently asked questions

What versions of Paolo GeoDirectory are affected?

All versions of Paolo GeoDirectory through 2.8.157 are vulnerable. Verify your version in the installation directory or admin panel and compare against official release notes to determine if a patch is available.

Do I need credentials to exploit this vulnerability?

No. The flaw allows unauthenticated network-based exploitation. This significantly lowers the attack barrier compared to vulnerabilities requiring prior authentication.

Can an attacker read sensitive data with this vulnerability?

The vulnerability does not affect confidentiality, so attackers cannot read protected data. However, they can modify or disrupt availability of directory information.

Is this vulnerability actively exploited in the wild?

CVE-2026-42671 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly confirmed. However, the ease of exploitation means organizations should not delay patching.

This analysis is provided for informational purposes. SEC.co does not verify vendor patch status or availability in real-time. Consult the Paolo project official advisory and release notes for authoritative patching information. Test all updates in non-production environments before production deployment. Vulnerability information is current as of the modification date provided and may be updated as new details emerge. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).