CVE-2026-57375 in MStore APIinfo

Summary

by MITRE • 07/13/2026

Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The Missing Authorization vulnerability in FluxBuilder MStore API represents a critical access control flaw that fundamentally undermines the security posture of the affected system. This vulnerability resides within the mstore-api component and affects versions ranging from the initial release through version 4.18.4, creating a prolonged window of exposure for potentially millions of users who rely on this commerce platform. The flaw manifests as an incorrectly configured access control mechanism that fails to properly validate user permissions before granting access to protected resources, creating a pathway for unauthorized entities to bypass security controls and access sensitive functionality.

The technical nature of this vulnerability stems from insufficient authorization checks within the API endpoints, allowing attackers to exploit misconfigurations in the security layer that should normally enforce proper access controls. This misconfiguration creates a scenario where legitimate users may be granted elevated privileges or where unauthorized parties can access restricted API functionalities without proper authentication or authorization validation. The vulnerability operates at the application level and specifically targets the API gateway's ability to properly authenticate and authorize requests, making it particularly dangerous as it can be exploited through various attack vectors including direct API calls, web interface manipulation, or automated exploitation tools.

The operational impact of this Missing Authorization vulnerability extends far beyond simple data exposure, potentially enabling complete compromise of the commerce platform's backend systems. Attackers who successfully exploit this flaw can gain access to sensitive customer data, manipulate product catalogs, modify pricing structures, and potentially execute administrative functions within the MStore API environment. This vulnerability directly aligns with CWE-285, which specifically addresses improper authorization issues in software systems, and represents a clear violation of the principle of least privilege that should govern all API access controls. The consequences can include financial loss, regulatory compliance violations, and significant reputational damage to organizations using affected versions of the MStore API.

Organizations utilizing FluxBuilder MStore API versions up to 4.18.4 must implement immediate mitigations to address this vulnerability, as it represents a critical security risk that can be exploited by threat actors with minimal technical expertise. The most effective remediation strategy involves implementing proper authorization controls at all API endpoints, ensuring that each request is validated against appropriate user permissions and roles before any privileged operations are executed. Security measures should include comprehensive access control lists, proper session management, and regular security testing of API endpoints to prevent similar misconfigurations from occurring in future deployments. Additionally, organizations should consider implementing monitoring solutions to detect anomalous API usage patterns that may indicate exploitation attempts, while also ensuring compliance with industry standards such as NIST SP 800-53 for access control requirements and the OWASP API Security Top 10 recommendations for protecting web APIs from unauthorized access.

Responsible

Patchstack

Reservation

06/24/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!