CVE-2026-23754

D-Link D-View 8 IDOR Allows Credential Disclosure and Account Takeover

Description

D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.

INFO

Published Date :

2026-01-21T18:02:45.878Z

Last Modified :

2026-03-05T01:30:21.783Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23754 vulnerability.

Vendors	Products
Dlink	D-view 8

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23754.

URL	Resource
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471
https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact