breach
IndiaSecurity Affairs
IndiaSecurity AffairsDavaIndia Pharmacy Vulnerability Exposed Customer Data, Admin Access
Monday, February 16, 2026
What
A critical security flaw in DavaIndia Pharmacy's platform allowed unauthorized access to super-admin APIs without authentication. This vulnerability enabled attackers to gain full administrative control, potentially viewing and modifying customer orders, personal data, and even bypassing prescription requirements.
Where
DavaIndia Pharmacy, a large Indian retail chain operated by Zota Health Care Ltd.
When
Reported August 20, 2025; fixed within a month; publicly disclosed February 13, 2026.
Key Factors
- •The vulnerability stemmed from an exposed admin subdomain that allowed unauthenticated access to super-admin APIs, specifically identified through `forgot password` code.
- •A researcher demonstrated creating a new super admin account via a crafted POST request, enabling full control over the platform's data and functions.
- •The compromise allowed for potential bypass of prescription requirements and manipulation of customer data, including generating 100% discount coupons.
Takeaways
- →Organizations must conduct thorough security audits, especially on admin-facing APIs and subdomains, to prevent unauthenticated access and privilege escalation.
- →Implement robust authentication and authorization checks for all critical endpoints, regardless of their intended visibility, to protect sensitive data and system integrity.
Read Full Article
Opens original article on Security Affairs
