LiveActive security incident?Get immediate response
CVE Record

CVE-2026-15491: RafyMrX TOKO-ONLINE-ROTI missing authentication

A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-15491 is a missing authentication issue in RafyMrX TOKO-ONLINE-ROTI. A remote attacker may access functionality that should require login. The public record rates it high severity, but it does not identify the exact component or a vendor fix. Organizations using this project should treat internet-facing deployments as urgent to review.

Executive priority

Prioritize review if this application supports customer, order, payment, or administrative workflows. The issue could affect confidentiality, integrity, and availability, but public details are incomplete. If not deployed or not reachable, business urgency is lower.

Technical view

VulDB describes improper or missing authentication affecting RafyMrX TOKO-ONLINE-ROTI up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. The CVSS 2.0 score is 7.5, vector AV:N/AC:L/Au:N/C:P/I:P/A:P. The affected part is unspecified. The project uses rolling releases, so fixed version details are not available in the cited sources.

Likely exposure

Exposure is most relevant where TOKO-ONLINE-ROTI is deployed and reachable over a network, especially public web deployments. Version identification may require commit or code review because formal release ranges are not specified.

Exploitation context

The sources say the attack can be performed remotely and requires no authentication. KEV is false in the provided bundle, and the cited sources do not confirm active exploitation. VulDB lists CTI indicators behind a permissions-required page.

Researcher notes

Key gaps remain: affected component, proof details, fixed commit, and vendor remediation are not public in the supplied sources. The vendor reportedly did not respond. Avoid assuming all deployments are exploitable without validating code lineage and reachable functionality.

Mitigation direction

  • Identify any deployments of RafyMrX TOKO-ONLINE-ROTI.
  • Restrict external access until vendor guidance or a validated fix is available.
  • Review upstream repository activity around the referenced commit.
  • Check vendor or project channels for authentication-related updates.
  • Add compensating access controls for administrative or sensitive routes.

Validation and detection

  • Confirm whether the application is TOKO-ONLINE-ROTI.
  • Determine deployed code commit relative to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99.
  • Review route and controller access controls for missing authentication.
  • Check logs for unauthenticated access to sensitive functions.
  • Monitor CVE and VulDB entries for updated component or fix details.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-287: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · medium confidence lookup

CWE-306: Credential and account abuse lookup

Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-15491 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (2.0)
Known Exploited
No
Published

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4CVSS vectors
6Timeline events
0ADP providers
5Source links

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 2.0HighAV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR106.4VulDB
7.3CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R3.93.4VulDB
7.3CVSS 3.0HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R3.93.4VulDB
6.9CVSS 4.0MediumCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:XVulDB

Vulnerability scoring details

Base CVSS 4.0 score

6.9Medium
CVSS 4.0 vector shape for CVE-2026-15491Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineVulDB

    Advisory disclosed

  2. Source timelineVulDB

    VulDB entry created

  3. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timelineVulDB

    VulDB entry last update

  5. CVE publishedCVE Program

    The CVE record was published.

  6. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
RafyMrXTOKO-ONLINE-ROTIddfe1cd587be0a0b5135d8b6e85cce2ec3aece99Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-287 · source CWE mapping

Improper Authentication

Improper Authentication represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-306 · source CWE mapping

Missing Authentication for Critical Function

Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.