Scanner gratuitement
Analyse en attenteCVE-2026-26289

CVE-2026-26289: Information Disclosure in PowerSYSTEM Center

Plateforme

other

Composant

subnet-solutions-powersystem-center

Corrigé dans

5.28.1

Voir sur NVD
Sauvegarder

CVE-2026-26289 describes an information disclosure vulnerability within the PowerSYSTEM Center REST API. This flaw allows authenticated users with limited permissions to export sensitive data that is normally restricted to administrative roles. The vulnerability impacts versions 5.8.0 through 7.0.x of PowerSYSTEM Center and has been resolved in version 5.28.1.

Impact et Scénarios d'Attaquetraduction en cours…

The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.

Contexte d'Exploitationtraduction en cours…

CVE-2026-26289 was published on May 12, 2026. The vulnerability's severity is rated HIGH (CVSS 8.2). Currently, there are no publicly available proof-of-concept (POC) exploits. The EPSS score is pending evaluation. It is recommended to prioritize remediation due to the potential for sensitive data exposure.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetMoyenne

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L8.2HIGHAttack VectorAdjacentComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeChangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityLowRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Adjacent — nécessite une proximité réseau: même LAN, Bluetooth ou segment local.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Faible — déni de service partiel ou intermittent.

Logiciel Affecté

Composantsubnet-solutions-powersystem-center
FournisseurSubnet Solutions
Version minimale5.8.0
Version maximale7.0.x
Corrigé dans5.28.1

Classification de Faiblesse (CWE)

CWE-863

Chronologie

  1. Publiée
  2. Modifiée

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.

Comment corrigertraduction en cours…

Actualice PowerSYSTEM Center a la versión 5.28.1 o posterior, 6.1.1 o posterior, o 7.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema de autorización incorrecta en la API REST de exportación de cuentas de dispositivos, evitando la exposición de información sensible.

Questions fréquentestraduction en cours…

What is CVE-2026-26289 — Information Disclosure in PowerSYSTEM Center?

CVE-2026-26289 is a HIGH severity vulnerability affecting PowerSYSTEM Center versions 5.8.0–7.0.x. It allows authenticated users with limited permissions to export sensitive data via the REST API, bypassing administrative restrictions.

Am I affected by CVE-2026-26289 in PowerSYSTEM Center?

You are affected if you are running PowerSYSTEM Center versions 5.8.0 through 7.0.x. Check your version and upgrade to 5.28.1 or later to mitigate the risk.

How do I fix CVE-2026-26289 in PowerSYSTEM Center?

The recommended fix is to upgrade PowerSYSTEM Center to version 5.28.1 or later. As a temporary workaround, restrict access to the device account export API endpoint.

Is CVE-2026-26289 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26289. However, the vulnerability's severity warrants prompt remediation.

Where can I find the official PowerSYSTEM Center advisory for CVE-2026-26289?

Refer to the official PowerSYSTEM Center security advisory for detailed information and updates regarding CVE-2026-26289. Check the vendor's website or security notification channels.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...