D-Link D-View 8 <2.0.1.107: Improper Access Control Allows Full Admin Takeover
CVE-2026-23754 Published on January 21, 2026
D-Link D-View 8 IDOR Allows Credential Disclosure and Account Takeover
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-23754 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2026-23754
Want to know whenever a new CVE is published for D-Link D View 8? stack.watch will email you.
Affected Versions
D-Link D-View 8:- Before and including 2.0.1.107 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.