Platform
codeigniter
Component
opensourcepos
Fixed in
3.4.3
CVE-2026-33730 describes an Insecure Direct Object Reference (IDOR) vulnerability discovered in Open Source Point of Sale (opensourcepos), a PHP-based point-of-sale application. This vulnerability allows a low-privileged, authenticated user to manipulate the employee_id parameter to access the password change functionality of other users, potentially including administrator accounts. The vulnerability affects versions of the application prior to 3.4.2, and a patch has been released.
The primary impact of this IDOR vulnerability is unauthorized access to other user accounts, specifically the ability to change passwords. A successful attacker could gain control of administrator accounts, granting them full control over the point-of-sale system. This could lead to data breaches, financial fraud, and disruption of business operations. The ability to modify administrator passwords represents a significant escalation of privileges, allowing an attacker to perform actions they are not authorized to do, such as accessing sensitive customer data, modifying product prices, or processing fraudulent transactions. This vulnerability highlights the importance of proper authorization checks when handling user data and sensitive operations.
CVE-2026-33730 was publicly disclosed on 2026-03-27. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33730 is to upgrade Open Source Point of Sale to version 3.4.2 or later. This version includes object-level authorization checks that validate user ownership before allowing access to password change functionality. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting access to the password change functionality based on IP address or user role. Additionally, review and strengthen existing authentication mechanisms to prevent unauthorized access. After upgrading, confirm the fix by attempting to access another user's password change functionality with a low-privileged account; it should be denied.
Update Open Source Point of Sale to version 3.4.2 or higher. This version includes object-level authorization checks to validate that the current user owns the employee_id being accessed, correcting the IDOR vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33730 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Open Source Point of Sale versions prior to 3.4.2, allowing unauthorized access to user passwords.
You are affected if you are using Open Source Point of Sale version 3.4.2 or earlier. Upgrade to 3.4.2 to resolve the vulnerability.
Upgrade Open Source Point of Sale to version 3.4.2 or later. This version includes the necessary authorization checks to prevent unauthorized access.
There are currently no reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Open Source Point of Sale project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.