Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in MphRx's Minerva

Posted date 28/04/2026
Identificador
INCIBE-2026-317
Importance
5 - Critical
Affected Resources

Minerva V3.6.0.

Description

INCIBE has coordinated the disclosure of three vulnerabilities, one critical and two high severity, affecting Minerva V3.6.0 from MphRx, a health data platform. The vulnerabilities were discovered by Alejandro Rivera León.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2026-5779: CVSS v4.0: 9.4 | CVSS  AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H | CWE-284
  • CVE-2026-5780: CVSS v4.0: 8.5 | CVSS  AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H | CWE-284
  • CVE-2026-5781: CVSS v4.0: 8.5 | CVSS  AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H | CWE-285
Solution

No solution has been reported yet.

Detail
  • CVE-2026-5779: an insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/user/updateUserProfile' endpoint. This allows an authenticated user to modify the information of other registered users. Successful exploitation of this vulnerability allows an authenticated user to modify other users' information, such as their email address, and request a new password via the '/webconnect/#/forgotPassword' endpoint. This could lead to complete account takeover.
  • CVE-2026-5780: an insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/<ID>'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an attacker to obtain a list of users.
  • CVE-2026-5781: an authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitation of this vulnerability could allow an authenticated user to obtain administrator privileges. It is not possible to escalate privileges through the graphical user interface.
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-5779 Crítica No MphRx
CVE-2026-5780 Alta No MphRx
CVE-2026-5781 Alta No MphRx
References list
Página web de Aion Health
Etiquetas