CVE-2026-61718 in bunkerwebinfo

Summary

by MITRE • 07/16/2026

bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in BunkerWeb versions 1.6.2 through 1.6.12 represents a critical authorization bypass flaw that undermines the security model of the web application firewall's user interface. This issue specifically affects the BiscuitMiddleware authorization system which is responsible for controlling access to various administrative functions within the BunkerWeb UI. The flaw stems from an improperly configured authorization bypass list that includes the /cache/ URL prefix, creating a pathway for unauthorized users to access protected administrative endpoints despite lacking proper privileges.

The technical implementation of this vulnerability involves the BiscuitMiddleware component failing to properly validate user permissions when processing requests to cache-related endpoints. The affected routes in src/ui/app/routes/cache.py are designed to be protected exclusively by the @login_required decorator, which should ensure that only authenticated users can access these functions. However, the inclusion of /cache/ in the authorization bypass list effectively removes this protection for specific cache operations, particularly the POST /cache/delete endpoint that allows for permanent deletion of critical cache files.

This authorization bypass exposes significant operational risks as it enables low-privilege read-only reader accounts to perform destructive actions on the system's core caching infrastructure. The cache files contain sensitive data including blacklist configurations, greylist entries, DNSBL information, CrowdSec threat intelligence feeds, GeoIP databases, ModSecurity CRS rules, Let's Encrypt and ACME certificate management data, and custom configuration parameters that are essential for the proper functioning of the WAF. When these files are permanently deleted, it can result in complete service disruption, loss of security configurations, and potential exposure of the protected infrastructure to threats.

The impact of this vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a direct violation of the principle of least privilege that is fundamental to secure application design. From an attack perspective, this flaw maps to ATT&CK technique T1078.004 which covers valid accounts used for unauthorized access, as it allows users with minimal privileges to escalate their capabilities through the exploitation of authorization weaknesses in the UI components.

The fix implemented in version 1.6.12 addresses this issue by removing the /cache/ URL prefix from the authorization bypass list, thereby restoring proper access controls to all cache-related endpoints. This remediation ensures that the @login_required decorator and any additional permission checks function as intended, preventing unauthorized deletion of critical cache files. Organizations using affected versions should immediately upgrade to 1.6.12 or later to mitigate this risk, while also conducting thorough audits of their BunkerWeb configurations to ensure no other similar authorization bypasses exist in related components. The vulnerability demonstrates the importance of proper access control implementation and the potential for seemingly minor configuration errors to create significant security weaknesses in web applications.

This issue highlights the critical need for comprehensive security testing of authorization mechanisms, particularly in multi-tenant environments where different user roles must be properly enforced. The vulnerability could have been prevented through more rigorous input validation of authorization rules, proper security code reviews focusing on access control logic, and systematic testing of privilege escalation scenarios. Organizations implementing similar WAF solutions should conduct regular security assessments to identify and remediate such authorization bypass vulnerabilities that could compromise the integrity and availability of their security infrastructure.

Responsible

GitHub M

Reservation

07/10/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!