{"api_version":"1","generated_at":"2026-07-17T03:45:20+00:00","cve":"CVE-2026-61718","urls":{"html":"https://cve.report/CVE-2026-61718","api":"https://cve.report/api/cve/CVE-2026-61718.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-61718","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-61718"},"summary":{"title":"bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization on /cache/ routes","description":"bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-16 20:16:46","updated_at":"2026-07-16 20:16:46"},"problem_types":["CWE-285","CWE-862","CWE-285 CWE-285: Improper Authorization","CWE-862 CWE-862: Missing Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.4","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12","name":"https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9","name":"https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q7rm-935c-v39g","name":"https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q7rm-935c-v39g","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-61718","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-61718","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"bunkerity","product":"bunkerweb","version":"affected >= 1.6.2, < 1.6.12","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"bunkerweb","vendor":"bunkerity","versions":[{"status":"affected","version":">= 1.6.2, < 1.6.12"}]}],"descriptions":[{"lang":"en","value":"bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-285","description":"CWE-285: Improper Authorization","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-862","description":"CWE-862: Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-16T19:15:39.183Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q7rm-935c-v39g","tags":["x_refsource_CONFIRM"],"url":"https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q7rm-935c-v39g"},{"name":"https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9","tags":["x_refsource_MISC"],"url":"https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9"},{"name":"https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12","tags":["x_refsource_MISC"],"url":"https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12"}],"source":{"advisory":"GHSA-q7rm-935c-v39g","discovery":"UNKNOWN"},"title":"bunkerweb: Read-only Web UI users can delete job cache files due to missing authorization on /cache/ routes"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-61718","datePublished":"2026-07-16T19:15:39.183Z","dateReserved":"2026-07-10T18:51:13.920Z","dateUpdated":"2026-07-16T19:15:39.183Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-16 20:16:46","lastModifiedDate":"2026-07-16 20:16:46","problem_types":["CWE-285","CWE-862","CWE-285 CWE-285: Improper Authorization","CWE-862 CWE-862: Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"61718","Ordinal":"1","Title":"bunkerweb: Read-only Web UI users can delete job cache files due","CVE":"CVE-2026-61718","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"61718","Ordinal":"1","NoteData":"bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.","Type":"Description","Title":"bunkerweb: Read-only Web UI users can delete job cache files due"}]}}}