CVE-2026-2849 in warehouseinfo

Summary

by MITRE • 02/20/2026

A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the component Cache Sync Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/27/2026

This vulnerability exists within the yeqifu warehouse software system where improper input validation and lack of proper access controls create a critical security flaw in the cache management functions. The affected code paths include deleteCache, removeAllCache, and syncCache methods within the dataset repository warehouse module, specifically in the java source file structure. The vulnerability stems from insufficient sanitization of user-provided parameters that are directly used in cache manipulation operations, potentially allowing unauthorized users to execute arbitrary cache operations against the system. This issue represents a direct violation of secure coding practices and could enable attackers to disrupt normal system operations or potentially escalate privileges within the warehouse environment.

The technical implementation flaw manifests when these cache management functions process external inputs without adequate validation or authorization checks. Attackers could exploit this weakness by crafting malicious requests that target the vulnerable methods, potentially leading to cache poisoning, denial of service conditions, or unauthorized data manipulation within the warehouse system. The vulnerability is particularly concerning because cache operations often involve critical system resources and can affect data consistency and availability. This weakness directly maps to CWE-20, which addresses improper input validation, and CWE-352, which covers cross-site request forgery vulnerabilities that could be leveraged to exploit this cache manipulation functionality.

The operational impact of this vulnerability extends beyond simple cache corruption, as it could enable attackers to disrupt warehouse operations, manipulate inventory data, or potentially gain unauthorized access to sensitive information stored within the cache system. System administrators may experience unexpected cache behavior, performance degradation, or complete service unavailability depending on the nature of the exploitation attempt. The vulnerability affects the core data management functionality of the warehouse system, potentially compromising data integrity and availability. This issue aligns with ATT&CK technique T1499.004, which covers cache poisoning attacks, and could facilitate broader exploitation attempts against the underlying data repository infrastructure.

Mitigation strategies should focus on implementing comprehensive input validation and access control mechanisms for all cache management functions. The system should enforce strict parameter validation and authentication checks before executing any cache manipulation operations. Additionally, implementing proper logging and monitoring of cache operations will help detect anomalous behavior and potential exploitation attempts. Regular security updates and code reviews should be conducted to identify similar vulnerabilities within the codebase. The implementation of principle of least privilege access controls for cache management functions will significantly reduce the attack surface and limit potential damage from exploitation attempts. Organizations should also consider implementing automated security scanning tools to identify similar vulnerabilities in other components of their warehouse infrastructure.

Responsible

VulDB

Disclosure

02/20/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00220

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!