CVE-2026-42569: Phpvms Laravel Importer Route Group Missing Auth
Laravel `Route::group` registers the legacy `/importer` endpoints without authentication or admin-authorization middleware. The route group only applies the `web` middleware (session + CSRF), which does not verify identity, so a remote unauthenticated attacker can invoke `ImporterController` actions (`@config`, `@dbtest`, `@run`, `@complete`) and trigger the
greprules fetch cve-2026-42569-phpvms-laravel-importer-route-group-missing-auth --engine opengrepDescription
Laravel `Route::group` registers the legacy `/importer` endpoints without authentication or admin-authorization middleware. The route group only applies the `web` middleware (session + CSRF), which does not verify identity, so a remote unauthenticated attacker can invoke `ImporterController` actions (`@config`, `@dbtest`, `@run`, `@complete`) and trigger the
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.