Platform
other
Component
mbconnect24
Fixed in
2.19.5
2.19.5
CVE-2026-33617 describes an information disclosure vulnerability present in mbCONNECT24 versions 0.0.0 to 2.19.4. This flaw allows an unauthenticated attacker to retrieve a configuration file containing database credentials. While direct exploitation of these credentials is not exposed, the compromise of this file represents a significant risk to data confidentiality. The vulnerability was published on 2026-04-02, and a patched version is the recommended remediation.
The primary impact of CVE-2026-33617 is the exposure of database credentials. Although the vulnerability description states there's no direct endpoint to use these credentials, an attacker gaining access to this configuration file could potentially use the credentials to access the underlying database. This could lead to unauthorized data access, modification, or deletion, depending on the database permissions assigned to the exposed credentials. The blast radius is limited to the data stored within the affected database, but the potential for data compromise remains a serious concern. This vulnerability highlights the importance of secure configuration management and access control.
CVE-2026-33617 is currently not listed on the CISA KEV catalog. There are no publicly known proof-of-concept exploits available at this time. Given the nature of the vulnerability (information disclosure) and the lack of readily exploitable endpoints, the probability of exploitation is considered low to medium. The vulnerability was disclosed on 2026-04-02.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33617 is to upgrade mbCONNECT24 to a version that addresses this vulnerability. Unfortunately, the specific fixed version is not provided. Until a patched version is available, consider restricting access to the mbCONNECT24 installation to only trusted networks and users. Implement strict file system permissions to prevent unauthorized access to the configuration file. Regularly review and audit the configuration file for any signs of tampering. Consider implementing a Web Application Firewall (WAF) to detect and block attempts to access the configuration file, although this is not a substitute for patching.
Update mbCONNECT24 to a version later than 2.19.4 to fix the information disclosure vulnerability. This will prevent unauthenticated attackers from accessing configuration files containing database credentials.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33617 is a vulnerability in mbCONNECT24 versions 0.0.0 to 2.19.4 that allows an attacker to access a configuration file containing database credentials, potentially leading to data compromise.
If you are using mbCONNECT24 versions 0.0.0 through 2.19.4, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of mbCONNECT24. Until a patch is available, restrict access to the installation and implement file system permissions.
There are currently no publicly known active exploitation campaigns targeting CVE-2026-33617, but the potential for exploitation remains.
Refer to the mbCONNECT24 vendor website or security mailing lists for the official advisory regarding CVE-2026-33617.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.