When Anyone Can Be Admin: The Boat Booking App That Left the Back Door Wide Open

What Happened?

A security vulnerability was discovered in a web application called the SourceCodester Online Boat Reservation System 1.0 — a free, open-source PHP app designed to let users book boat rentals online.[cve]

The flaw, tracked as CVE-2026–10693, was published on June 3, 2026, and was reported by security researcher Hemant Raj Bhati. It falls into one of the most common — and most dangerous — categories of web security bugs: broken access control.[cve]

So, What's Broken Access Control?

Think of a website like a building. Regular users get a key card that only opens the front door. Admins get a master key that opens everything — the server room, the filing cabinets, the back office.

Broken access control means the building forgot to check which key card you're holding before letting you in. You walk up to the admin server room, push the door, and it just… opens.

That's exactly what happened here. The application's administrative endpoints — the pages and functions meant only for admins — did not properly verify whether the person making a request actually had admin privileges.[cve]

What Could an Attacker Do?

Because the check was missing, any logged-in user could send requests directly to admin-only parts of the application. This could allow them to:

• Read sensitive data they weren't supposed to see
• Modify information such as bookings, users, or settings
• Disrupt the service, potentially causing data to become unavailable

The vulnerability affects multiple endpoints, meaning it wasn't just one forgotten check — it was a systemic issue across the admin panel.[cve]

How Serious Is It?

Security experts use a scoring system called CVSS to rate vulnerabilities. CVE-2026–10693 scored 6.3 out of 10 (Medium severity).[cve]

Here's what that means in plain terms:

FactorDetail**Who can exploit it?**Anyone with a regular account (low-privilege user)**How hard is it?Easy — no special conditions neededDoes it need user interaction?NoIs it remote?Yes — it can be done over the internetHas it been publicly disclosed?**Yes — a proof-of-concept exploit exists

The exploit has already been publicly disclosed, which means the window to patch is now.[cve]

Why Does This Keep Happening?

Broken access control has been the #1 web security risk on the OWASP Top 10 list for years. It happens because developers often focus on authentication (checking who you are) but forget about authorization (checking what you're allowed to do).

The two concepts sound similar but are very different:

• Authentication = "Are you logged in?" ✅
• Authorization = "Are you allowed to do this?" ❌ (this is what was missing)

A secure system needs both checks on every sensitive action.

Who Is at Risk?

This specific vulnerability affects users running SourceCodester Online Boat Reservation System version 1.0. SourceCodester is a platform that distributes free source code projects, often used for student assignments, small businesses, or rapid prototyping. These projects are widely downloaded, which means the reach of such a flaw can be broader than it first appears.[cve]

If you or someone you know is running this application in a live environment, the recommendation is simple: take it offline or restrict access immediately until a patched version is available.

The Takeaway

CVE-2026–10693 is a textbook example of why access control needs to be treated as a first-class concern in web development — not an afterthought. A flaw like this doesn't require a sophisticated attacker. It just requires someone who knows to ask: "What happens if I go directly to the admin URL?"

The answer, in this case, was: "You get in."

Stay curious. Stay patched. — Agonize Security Newsletter

Quick facts: CVE-2026–10693 | Published: June 3, 2026 | Severity: Medium (CVSS 6.3) | Affected: SourceCodester Online Boat Reservation System 1.0 | CNA: VulDB [cve]