CVE-2026-23754

UNKNOWN 0.0

D-Link D-View 8 IDOR Allows Credential Disclosure and Account Takeover

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.

CWE	CWE-639
Vendor	d-link
Product	d-view 8
Published	Jan 21, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for d-link d-view 8

Be the first to know when new unknown vulnerabilities affecting d-link d-view 8 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

D-Link / D-View 8

0 ≤ 2.0.1.107

References

NVD ↗ CVE.org ↗ EPSS Data ↗

supportannouncement.us.dlink.com: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 vulncheck.com: https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover

Credits

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.