CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.

Weakness

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Software

Name	Vendor	Start Version	End Version
Ec-cube	Ec-cube	4.1.0 (including)	4.1.2 (excluding)
Ec-cube	Ec-cube	4.2.0 (including)	4.2.3 (excluding)
Ec-cube	Ec-cube	4.3.0 (including)	4.3.1 (excluding)
Ec-cube	Ec-cube	4.1.2 (including)	4.1.2 (including)
Ec-cube	Ec-cube	4.1.2-p1 (including)	4.1.2-p1 (including)
Ec-cube	Ec-cube	4.1.2-p2 (including)	4.1.2-p2 (including)
Ec-cube	Ec-cube	4.1.2-p3 (including)	4.1.2-p3 (including)
Ec-cube	Ec-cube	4.1.2-p4 (including)	4.1.2-p4 (including)
Ec-cube	Ec-cube	4.2.3 (including)	4.2.3 (including)
Ec-cube	Ec-cube	4.2.3-p1 (including)	4.2.3-p1 (including)
Ec-cube	Ec-cube	4.3.1 (including)	4.3.1 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-30777
CWE	https://cwe.mitre.org/data/definitions/288.html

Authentication Bypass Using an Alternate Path or Channel

Weakness

Affected Software

Potential Mitigations

References

CVE-2026-30777

Authentication Bypass Using an Alternate Path or Channel

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References