CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5504 vulnerabilities reference this CWE, most recent first.
CVE-2026-27112 (GCVE-0-2026-27112)
Vulnerability from cvelistv5 – Published: 2026-02-20 21:22 – Updated: 2026-02-24 18:43- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/akuity/kargo/security/advisori… | x_refsource_CONFIRM |
| https://github.com/akuity/kargo/commit/155c6852ff… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T18:43:26.135548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T18:43:40.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kargo",
"vendor": "akuity",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.9.0-rc.1, \u003c 1.9.3"
},
{
"status": "affected",
"version": "\u003e= 1.8.0-rc.1, \u003c 1.8.11"
},
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.7.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo\u0027s legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server\u0027s own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane\u0027s underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T21:22:56.719Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr"
},
{
"name": "https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344"
}
],
"source": {
"advisory": "GHSA-7g9x-cp9g-92mr",
"discovery": "UNKNOWN"
},
"title": "Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27112",
"datePublished": "2026-02-20T21:22:56.719Z",
"dateReserved": "2026-02-17T18:42:27.042Z",
"dateUpdated": "2026-02-24T18:43:40.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26973 (GCVE-0-2026-26973)
Vulnerability from cvelistv5 – Published: 2026-02-26 19:19 – Updated: 2026-02-26 20:41- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/discourse/discourse/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T20:40:10.083850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T20:41:30.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.12.2"
},
{
"status": "affected",
"version": "\u003e= 2026.1.0-latest, \u003c 2026.1.1"
},
{
"status": "affected",
"version": "\u003e= 2026.2.0-latest, \u003c 2026.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belonging to a category moderation group can create or delete their own notes on **any** reviewable in the system, including reviewables in categories they do not moderate. The controller used an unscoped `Reviewable.find` and the `ensure_can_see` guard only checked whether the user could access the review queue in general, not whether they could access the specific reviewable. Only instances with `enable_category_group_moderation` enabled are affected. Staff users (admins/moderators) are not impacted as they already have access to all reviewables. The issue is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0 by scoping the reviewable lookup through `Reviewable.viewable_by(current_user)`. As a workaround, disable the `enable_category_group_moderation` site setting. This removes the attack surface as only staff users will have access to the review queue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:20:35.711Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/discourse/discourse/security/advisories/GHSA-c587-qx78-vhmx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-c587-qx78-vhmx"
}
],
"source": {
"advisory": "GHSA-c587-qx78-vhmx",
"discovery": "UNKNOWN"
},
"title": "Discourse doesn\u0027t scope reviewable notes to user-visible reviewables"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26973",
"datePublished": "2026-02-26T19:19:18.139Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-02-26T20:41:30.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26963 (GCVE-0-2026-26963)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:38 – Updated: 2026-02-20 15:36- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/cilium/cilium/security/advisor… | x_refsource_CONFIRM |
| https://github.com/cilium/cilium/pull/42892 | x_refsource_MISC |
| https://github.com/cilium/cilium/commit/88e28e1e6… | x_refsource_MISC |
| https://github.com/cilium/cilium/releases/tag/v1.18.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:26:45.815584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:36:37.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cilium",
"vendor": "cilium",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.18.0, \u003c 1.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, WireGuard and Node Encryption are enabled. This issue has been fixed in version 1.18.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:38:36.110Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3"
},
{
"name": "https://github.com/cilium/cilium/pull/42892",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/pull/42892"
},
{
"name": "https://github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/commit/88e28e1e62c0b1a02c3f0fc22d888ac9eefbe885"
},
{
"name": "https://github.com/cilium/cilium/releases/tag/v1.18.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cilium/cilium/releases/tag/v1.18.6"
}
],
"source": {
"advisory": "GHSA-5r23-prx4-mqg3",
"discovery": "UNKNOWN"
},
"title": "Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26963",
"datePublished": "2026-02-19T23:38:36.110Z",
"dateReserved": "2026-02-16T22:20:28.612Z",
"dateUpdated": "2026-02-20T15:36:37.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26949 (GCVE-0-2026-26949)
Vulnerability from cvelistv5 – Published: 2026-03-04 17:04 – Updated: 2026-03-04 18:47- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/en-us/00042917… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | Device Management Agent (DDMA) |
Affected:
N/A , < 26.02
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26949",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T18:46:03.061334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T18:47:02.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Device Management Agent (DDMA)",
"vendor": "Dell",
"versions": [
{
"lessThan": "26.02",
"status": "affected",
"version": "N/A",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-03-03T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Device Management Agent (DDMA), versions prior to 26.02, contain an Incorrect Authorization vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges."
}
],
"value": "Dell Device Management Agent (DDMA), versions prior to 26.02, contain an Incorrect Authorization vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T17:04:48.180Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000429177/dsa-2026-105"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2026-26949",
"datePublished": "2026-03-04T17:04:48.180Z",
"dateReserved": "2026-02-16T18:04:20.509Z",
"dateUpdated": "2026-03-04T18:47:02.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26336 (GCVE-0-2026-26336)
Vulnerability from cvelistv5 – Published: 2026-02-19 15:56 – Updated: 2026-05-11 23:11- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://connect.hyland.com/t5/alfresco-blog/cve-2… | vendor-advisorypatch |
| https://www.hyland.com/en/solutions/products/alfr… | product |
| https://www.vulncheck.com/advisories/hyland-alfre… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Hyland | Alfresco Enterprise |
Affected:
7.4.0 , < 7.4.2.6
(custom)
Affected: 23.6.0 , < 23.6.1 (semver) Affected: 25.1.0 , < 25.3.0 (semver) |
|
| Hyland | Alfresco Community |
Affected:
0 , < 25.3.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:05:44.420187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:06:06.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Alfresco Enterprise",
"vendor": "Hyland",
"versions": [
{
"lessThan": "7.4.2.6",
"status": "affected",
"version": "7.4.0",
"versionType": "custom"
},
{
"lessThan": "23.6.1",
"status": "affected",
"version": "23.6.0",
"versionType": "semver"
},
{
"lessThan": "25.3.0",
"status": "affected",
"version": "25.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Alfresco Community",
"vendor": "Hyland",
"versions": [
{
"lessThan": "25.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "7.4.2.6",
"versionStartIncluding": "7.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "23.6.1",
"versionStartIncluding": "23.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "25.3.0",
"versionStartIncluding": "25.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hyland:alfresco_content_services:*:*:*:*:community:*:*:*",
"versionEndExcluding": "25.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Piotr Bazydlo (@chudyPB) of watchTowr"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the \"/share/page/resource/\" endpoint, thus leading to the disclosure of sensitive configuration files."
}
],
"value": "Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the \"/share/page/resource/\" endpoint, thus leading to the disclosure of sensitive configuration files."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T23:11:19.969Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550"
},
{
"tags": [
"product"
],
"url": "https://www.hyland.com/en/solutions/products/alfresco-platform"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hyland-alfresco-improper-authorization-arbitrary-file-read"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hyland Alfresco Improper Authorization Arbitrary File Read",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-26336",
"datePublished": "2026-02-19T15:56:25.781Z",
"dateReserved": "2026-02-13T17:28:43.052Z",
"dateUpdated": "2026-05-11T23:11:19.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26328 (GCVE-0-2026-26328)
Vulnerability from cvelistv5 – Published: 2026-02-19 23:04 – Updated: 2026-02-20 15:38| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | x_refsource_CONFIRM |
| https://github.com/openclaw/openclaw/commit/87207… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:27:05.967889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:38:50.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaw",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.14"
}
]
},
{
"product": "clawdbot",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c= 2026.1.24-3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T23:04:12.188Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"
},
{
"name": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59"
},
{
"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
}
],
"source": {
"advisory": "GHSA-g34w-4xqq-h79m",
"discovery": "UNKNOWN"
},
"title": "OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26328",
"datePublished": "2026-02-19T23:04:12.188Z",
"dateReserved": "2026-02-13T16:27:51.809Z",
"dateUpdated": "2026-02-20T15:38:50.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26316 (GCVE-0-2026-26316)
Vulnerability from cvelistv5 – Published: 2026-02-19 21:28 – Updated: 2026-02-20 15:41- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/openclaw/openclaw/security/adv… | x_refsource_CONFIRM |
| https://github.com/openclaw/openclaw/commit/743f4… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/commit/f836c… | x_refsource_MISC |
| https://github.com/openclaw/openclaw/releases/tag… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| openclaw | openclaw |
Affected:
< 2026.2.13
|
|
| openclaw | @openclaw/bluebubbles |
Affected:
< 2026.2.13
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:32:08.946229Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:41:50.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openclaw",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.13"
}
]
},
{
"product": "@openclaw/bluebubbles",
"vendor": "openclaw",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:28:33.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758"
},
{
"name": "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a"
},
{
"name": "https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f"
},
{
"name": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
}
],
"source": {
"advisory": "GHSA-pchc-86f6-8758",
"discovery": "UNKNOWN"
},
"title": "OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26316",
"datePublished": "2026-02-19T21:28:33.454Z",
"dateReserved": "2026-02-13T16:27:51.807Z",
"dateUpdated": "2026-02-20T15:41:50.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26308 (GCVE-0-2026-26308)
Vulnerability from cvelistv5 – Published: 2026-03-10 19:01 – Updated: 2026-03-10 20:12- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://github.com/envoyproxy/envoy/security/advi… | x_refsource_CONFIRM |
| https://github.com/envoyproxy/envoy/commit/b6ba0b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| envoyproxy | envoy |
Affected:
>= 1.37.0, < 1.37.1
Affected: >= 1.36.0, < 1.36.5 Affected: >= 1.35.0, < 1.35.9 Affected: < 1.34.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T20:10:29.907912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T20:12:40.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "envoy",
"vendor": "envoyproxy",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.37.0, \u003c 1.37.1"
},
{
"status": "affected",
"version": "\u003e= 1.36.0, \u003c 1.36.5"
},
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c 1.35.9"
},
{
"status": "affected",
"version": "\u003c 1.34.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies\u2014specifically \"Deny\" rules\u2014by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T19:01:28.062Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5"
},
{
"name": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867"
}
],
"source": {
"advisory": "GHSA-ghc4-35x6-crw5",
"discovery": "UNKNOWN"
},
"title": "Envoy has an RBAC Header Validation Bypass via Multi-Value Header Concatenation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26308",
"datePublished": "2026-03-10T19:01:28.062Z",
"dateReserved": "2026-02-13T16:27:51.804Z",
"dateUpdated": "2026-03-10T20:12:40.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26304 (GCVE-0-2026-26304)
Vulnerability from cvelistv5 – Published: 2026-03-16 19:53 – Updated: 2026-03-17 13:38- CWE-863 - Incorrect Authorization
| URL | Tags |
|---|---|
| https://mattermost.com/security-updates | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Mattermost | Mattermost |
Affected:
11.3.0 , ≤ 11.3.0
(semver)
Affected: 11.2.0 , ≤ 11.2.2 (semver) Unaffected: 11.4.0 Unaffected: 11.3.1 Unaffected: 11.2.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:37:56.844126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:38:03.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "11.3.0",
"status": "affected",
"version": "11.3.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "11.2.2",
"status": "affected",
"version": "11.2.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "11.4.0"
},
{
"status": "unaffected",
"version": "11.3.1"
},
{
"status": "unaffected",
"version": "11.2.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0x7oda7123"
}
],
"descriptions": [
{
"lang": "en",
"value": "Mattermost versions 11.3.x \u003c= 11.3.0, 11.2.x \u003c= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T19:53:21.650Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"name": "MMSA-2025-00542",
"tags": [
"vendor-advisory"
],
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mattermost to versions 11.4.0, 11.3.1, 11.2.3 or higher."
}
],
"source": {
"advisory": "MMSA-2025-00542",
"defect": [
"https://mattermost.atlassian.net/browse/MM-66248"
],
"discovery": "EXTERNAL"
},
"title": "Permission Bypass in Playbook Run Creation"
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2026-26304",
"datePublished": "2026-03-16T19:53:21.650Z",
"dateReserved": "2026-02-13T10:43:14.474Z",
"dateUpdated": "2026-03-17T13:38:03.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26289 (GCVE-0-2026-26289)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:02 – Updated: 2026-05-13 00:19- CWE-863 - Incorrect Authorization
| Vendor | Product | Version | |
|---|---|---|---|
| Subnet Solutions | PowerSYSTEM Center 2020 |
Affected:
5.8.x , ≤ 5.28.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2024 |
Affected:
6.0.x , ≤ 6.1.x
(custom)
|
|
| Subnet Solutions | PowerSYSTEM Center 2026 |
Affected:
7.0.x
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T00:19:06.419342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T00:19:14.634Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2020",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "5.28.x",
"status": "affected",
"version": "5.8.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2024",
"vendor": "Subnet Solutions",
"versions": [
{
"lessThanOrEqual": "6.1.x",
"status": "affected",
"version": "6.0.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "PowerSYSTEM Center 2026",
"vendor": "Subnet Solutions",
"versions": [
{
"status": "affected",
"version": "7.0.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kelly Stich of Subnet Solutions Inc. reported these vulnerabilities to CISA."
}
],
"datePublic": "2026-05-13T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only."
}
],
"value": "PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:02:42.509Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\u003cbr\u003e\n\u003cbr\u003eFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\u003cbr\u003e\n\u003cbr\u003eSubnet Solutions recommends users do the following in order to reduce risk:\n\u003cbr\u003e* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\u003cbr\u003e* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\u003cbr\u003e* Configure a notification rule that triggers in any bulk account export activity."
}
],
"value": "Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.\n\n\n\nFor assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com).\n\n\n\nSubnet Solutions recommends users do the following in order to reduce risk:\n\n* Monitor user activity records to ensure users are following acceptable usage policies of the application.\n\n* Restrict access to Notification Settings to trusted Administrators Monitor \"Send from Address\" in settings and Activity Records.\n\n* Configure a notification rule that triggers in any bulk account export activity."
}
],
"source": {
"advisory": "ICSA-26-132-02",
"discovery": "INTERNAL"
},
"title": "Subnet Solutions PowerSYSTEM Center Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-26289",
"datePublished": "2026-05-12T21:02:42.509Z",
"dateReserved": "2026-04-16T14:05:42.127Z",
"dateUpdated": "2026-05-13T00:19:14.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.