Pending AnalysisCVE-2026-26289

CVE-2026-26289: Information Disclosure in PowerSYSTEM Center

Platform

other

Component

subnet-solutions-powersystem-center

Fixed in

5.28.1

View on NVD

Save

CVE-2026-26289 describes an information disclosure vulnerability within the PowerSYSTEM Center REST API. This flaw allows authenticated users with limited permissions to export sensitive data that is normally restricted to administrative roles. The vulnerability impacts versions 5.8.0 through 7.0.x of PowerSYSTEM Center and has been resolved in version 5.28.1.

Impact and Attack Scenarios

The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.

Exploitation Context

CVE-2026-26289 was published on May 12, 2026. The vulnerability's severity is rated HIGH (CVSS 8.2). Currently, there are no publicly available proof-of-concept (POC) exploits. The EPSS score is pending evaluation. It is recommended to prioritize remediation due to the potential for sensitive data exposure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

CVSS Vector

What do these metrics mean?

Attack Vector: Adjacent — requires network proximity: same LAN, Bluetooth, or local wireless segment. Not internet-exposed.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentsubnet-solutions-powersystem-center

VendorSubnet Solutions

Minimum version5.8.0

Maximum version7.0.x

Fixed in5.28.1

Weakness Classification (CWE)

CWE-863

Timeline

Published2026-05-12
Modified2026-05-13

Mitigation and Workarounds

The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.

How to fix

Actualice PowerSYSTEM Center a la versión 5.28.1 o posterior, 6.1.1 o posterior, o 7.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema de autorización incorrecta en la API REST de exportación de cuentas de dispositivos, evitando la exposición de información sensible.

Frequently asked questions

What is CVE-2026-26289 — Information Disclosure in PowerSYSTEM Center?

CVE-2026-26289 is a HIGH severity vulnerability affecting PowerSYSTEM Center versions 5.8.0–7.0.x. It allows authenticated users with limited permissions to export sensitive data via the REST API, bypassing administrative restrictions.

Am I affected by CVE-2026-26289 in PowerSYSTEM Center?

You are affected if you are running PowerSYSTEM Center versions 5.8.0 through 7.0.x. Check your version and upgrade to 5.28.1 or later to mitigate the risk.

How do I fix CVE-2026-26289 in PowerSYSTEM Center?

The recommended fix is to upgrade PowerSYSTEM Center to version 5.28.1 or later. As a temporary workaround, restrict access to the device account export API endpoint.

Is CVE-2026-26289 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26289. However, the vulnerability's severity warrants prompt remediation.

Where can I find the official PowerSYSTEM Center advisory for CVE-2026-26289?

Refer to the official PowerSYSTEM Center security advisory for detailed information and updates regarding CVE-2026-26289. Check the vendor's website or security notification channels.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs

livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Browse files