CVE-2026-42671: Paolo GeoDirectory Missing Authorization Vulnerability (CVSS 6.5)
Paolo GeoDirectory versions up to 2.8.157 contain a missing authorization flaw that allows attackers to bypass access controls. Without needing credentials or user interaction, an attacker on the network can exploit misconfigured security levels to gain unauthorized access to sensitive operations, potentially modifying data or causing service disruption.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42671 is a CWE-862 (Missing Authorization) vulnerability in Paolo GeoDirectory. The flaw stems from incorrectly configured access control security levels that fail to properly enforce authorization checks. The vulnerability is network-accessible, requires no authentication, and has low attack complexity, making it straightforward to exploit. It impacts data integrity and availability but not confidentiality. All versions through 2.8.157 are affected.
Business impact
Unauthorized access to GeoDirectory functionality could allow attackers to modify directory entries, corrupt location data, or disrupt service availability for end users relying on the directory. For organizations using GeoDirectory in production, this could result in data integrity issues, customer-facing outages, and potential liability if customer information is altered without authorization.
Affected systems
Paolo GeoDirectory versions from the earliest through 2.8.157 are vulnerable. Organizations should verify their exact GeoDirectory installation version immediately. No information on fixed versions is currently available; consult the Paolo project or vendor advisory for patched releases.
Exploitability
This vulnerability is moderately exploitable. It requires network access but no authentication, credentials, or user interaction. An attacker can trigger the flaw directly from the network, making reconnaissance and exploitation relatively straightforward once the vulnerable version is identified. The low attack complexity suggests no special tools or advanced techniques are needed.
Remediation
Upgrade Paolo GeoDirectory to the latest available version released after 2.8.157. Verify against the official Paolo project repository or vendor advisory for confirmed patched versions. Until patching is possible, implement network segmentation to restrict unauthenticated access to GeoDirectory services, and review access control configurations for any obviously misconfigured security levels.
Patch guidance
Check the Paolo GeoDirectory project release notes and advisories for versions newer than 2.8.157. Apply the latest stable release that addresses CVE-2026-42671. Test the upgrade in a non-production environment first to ensure compatibility with your deployment. Monitor vendor communications for any additional guidance on this vulnerability.
Detection guidance
Monitor access logs for unauthenticated requests to GeoDirectory endpoints that should require authorization. Look for unusual modification activity on directory entries from unexpected sources or IPs. Consider deploying a WAF rule to restrict unauthenticated access to sensitive GeoDirectory functions. Network IDS/IPS signatures may become available as the vulnerability is more widely disclosed.
Why prioritize this
This vulnerability warrants prompt but not emergency action. It is network-accessible and requires no authentication, lowering the barrier to exploitation. However, the CVSS score of 6.5 (Medium) reflects limited scope—only integrity and availability are affected, not confidentiality. Organizations running GeoDirectory should prioritize this within a standard patching cycle, especially if the service is internet-facing or handles sensitive location data.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-exploitable flaw (AV:N) with low attack complexity (AC:L) and no authentication requirement (PR:N), but limited impact. Integrity and availability are compromised (I:L, A:L), while confidentiality remains unaffected (C:N). The Scope Unchanged (S:U) designation means the vulnerability does not cross privilege boundaries. This places it firmly in Medium severity—notable but not critical.
Frequently asked questions
What versions of Paolo GeoDirectory are affected?
All versions of Paolo GeoDirectory through 2.8.157 are vulnerable. Verify your version in the installation directory or admin panel and compare against official release notes to determine if a patch is available.
Do I need credentials to exploit this vulnerability?
No. The flaw allows unauthenticated network-based exploitation. This significantly lowers the attack barrier compared to vulnerabilities requiring prior authentication.
Can an attacker read sensitive data with this vulnerability?
The vulnerability does not affect confidentiality, so attackers cannot read protected data. However, they can modify or disrupt availability of directory information.
Is this vulnerability actively exploited in the wild?
CVE-2026-42671 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly confirmed. However, the ease of exploitation means organizations should not delay patching.
This analysis is provided for informational purposes. SEC.co does not verify vendor patch status or availability in real-time. Consult the Paolo project official advisory and release notes for authoritative patching information. Test all updates in non-production environments before production deployment. Vulnerability information is current as of the modification date provided and may be updated as new details emerge. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis