無料スキャン
分析待ちCVE-2026-26289

CVE-2026-26289: Information Disclosure in PowerSYSTEM Center

プラットフォーム

other

コンポーネント

subnet-solutions-powersystem-center

修正版

5.28.1

NVDで見る
保存

CVE-2026-26289 describes an information disclosure vulnerability within the PowerSYSTEM Center REST API. This flaw allows authenticated users with limited permissions to export sensitive data that is normally restricted to administrative roles. The vulnerability impacts versions 5.8.0 through 7.0.x of PowerSYSTEM Center and has been resolved in version 5.28.1.

影響と攻撃シナリオ翻訳中…

The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.

悪用の状況翻訳中…

CVE-2026-26289 was published on May 12, 2026. The vulnerability's severity is rated HIGH (CVSS 8.2). Currently, there are no publicly available proof-of-concept (POC) exploits. The EPSS score is pending evaluation. It is recommended to prioritize remediation due to the potential for sensitive data exposure.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L8.2HIGHAttack VectorAdjacent攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityLow不正データ改ざんのリスクAvailabilityLowサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
隣接 — 同一LAN・Bluetooth・ローカル無線セグメントへの近接が必要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
低 — 限定的な範囲でデータ変更可能。
Availability
低 — 部分的または断続的なサービス拒否。

影響を受けるソフトウェア

コンポーネントsubnet-solutions-powersystem-center
ベンダーSubnet Solutions
最小バージョン5.8.0
最大バージョン7.0.x
修正版5.28.1

弱点分類 (CWE)

CWE-863

タイムライン

  1. 公開日
  2. 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.

修正方法翻訳中…

Actualice PowerSYSTEM Center a la versión 5.28.1 o posterior, 6.1.1 o posterior, o 7.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema de autorización incorrecta en la API REST de exportación de cuentas de dispositivos, evitando la exposición de información sensible.

よくある質問翻訳中…

What is CVE-2026-26289 — Information Disclosure in PowerSYSTEM Center?

CVE-2026-26289 is a HIGH severity vulnerability affecting PowerSYSTEM Center versions 5.8.0–7.0.x. It allows authenticated users with limited permissions to export sensitive data via the REST API, bypassing administrative restrictions.

Am I affected by CVE-2026-26289 in PowerSYSTEM Center?

You are affected if you are running PowerSYSTEM Center versions 5.8.0 through 7.0.x. Check your version and upgrade to 5.28.1 or later to mitigate the risk.

How do I fix CVE-2026-26289 in PowerSYSTEM Center?

The recommended fix is to upgrade PowerSYSTEM Center to version 5.28.1 or later. As a temporary workaround, restrict access to the device account export API endpoint.

Is CVE-2026-26289 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26289. However, the vulnerability's severity warrants prompt remediation.

Where can I find the official PowerSYSTEM Center advisory for CVE-2026-26289?

Refer to the official PowerSYSTEM Center security advisory for detailed information and updates regarding CVE-2026-26289. Check the vendor's website or security notification channels.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
scanZone.liveBadgescanZone.eyebrow

今すぐ試す — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...