{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42516","assignerOrgId":"66834db9-ab24-42b4-be80-296b2e40335c","state":"PUBLISHED","assignerShortName":"CERT-In","dateReserved":"2026-04-28T08:14:36.620Z","datePublished":"2026-04-29T08:26:15.611Z","dateUpdated":"2026-04-29T12:15:10.366Z"},"containers":{"cna":{"providerMetadata":{"orgId":"66834db9-ab24-42b4-be80-296b2e40335c","shortName":"CERT-In","dateUpdated":"2026-04-29T08:26:15.611Z"},"title":"Broken Access Control Vulnerability in e-Sushrut HMIS","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-639","description":"CWE-639 Authorization bypass through User-Controlled key","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-566","descriptions":[{"lang":"en","value":"CAPEC-566 Authorization Bypass Through Parameter Manipulation"}]}],"affected":[{"vendor":"CDAC-Noida","product":"e-Sushrut, Hospital Management Information System (HMIS)","versions":[{"status":"affected","version":"Previous versions","versionType":"custom"}],"defaultStatus":"unaffected"}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*"}]}]}],"descriptions":[{"lang":"en","value":"This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system.","supportingMedia":[{"type":"text/html","base64":false,"value":"This vulnerability exists in e-Sushrut due to improper authorization checks during resource access. An authenticated attacker could exploit this vulnerability by manipulating encoded parameters in the request URL to gain unauthorized access to patient accounts on the targeted system."}]}],"references":[{"url":"https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0207","tags":["third-party-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":7.1,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}}],"solutions":[{"lang":"en","value":"Contact C-DAC for upgrading e-Sushrut HMIS to latest version","supportingMedia":[{"type":"text/html","base64":false,"value":"Contact C-DAC for upgrading e-Sushrut HMIS to latest version"}]}],"credits":[{"lang":"en","value":"This vulnerability is reported by Harsh Verma","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-29T12:14:58.022373Z","id":"CVE-2026-42516","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-29T12:15:10.366Z"}}]}}