Gratis scannen
Analyse in behandelingCVE-2026-26289

CVE-2026-26289: Information Disclosure in PowerSYSTEM Center

Platform

other

Component

subnet-solutions-powersystem-center

Opgelost in

5.28.1

Bekijk op NVD
Opslaan

CVE-2026-26289 describes an information disclosure vulnerability within the PowerSYSTEM Center REST API. This flaw allows authenticated users with limited permissions to export sensitive data that is normally restricted to administrative roles. The vulnerability impacts versions 5.8.0 through 7.0.x of PowerSYSTEM Center and has been resolved in version 5.28.1.

Impact en Aanvalsscenarioswordt vertaald…

The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.

Uitbuitingscontextwordt vertaald…

CVE-2026-26289 was published on May 12, 2026. The vulnerability's severity is rated HIGH (CVSS 8.2). Currently, there are no publicly available proof-of-concept (POC) exploits. The EPSS score is pending evaluation. It is recommended to prioritize remediation due to the potential for sensitive data exposure.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingGemiddeld

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L8.2HIGHAttack VectorAdjacentHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredLowVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeChangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityLowRisico op ongeautoriseerde gegevenswijzigingAvailabilityLowRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Aangrenzend — netwerknabijheid vereist: zelfde LAN, Bluetooth of lokaal draadloos segment.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Laag — elk geldig gebruikersaccount is voldoende.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
Availability
Laag — gedeeltelijke of intermitterende denial of service.

Getroffen Software

Componentsubnet-solutions-powersystem-center
LeverancierSubnet Solutions
Minimumversie5.8.0
Maximumversie7.0.x
Opgelost in5.28.1

Zwakheidsclassificatie (CWE)

CWE-863

Tijdlijn

  1. Gepubliceerd
  2. Gewijzigd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.

Hoe te verhelpenwordt vertaald…

Actualice PowerSYSTEM Center a la versión 5.28.1 o posterior, 6.1.1 o posterior, o 7.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema de autorización incorrecta en la API REST de exportación de cuentas de dispositivos, evitando la exposición de información sensible.

Veelgestelde vragenwordt vertaald…

What is CVE-2026-26289 — Information Disclosure in PowerSYSTEM Center?

CVE-2026-26289 is a HIGH severity vulnerability affecting PowerSYSTEM Center versions 5.8.0–7.0.x. It allows authenticated users with limited permissions to export sensitive data via the REST API, bypassing administrative restrictions.

Am I affected by CVE-2026-26289 in PowerSYSTEM Center?

You are affected if you are running PowerSYSTEM Center versions 5.8.0 through 7.0.x. Check your version and upgrade to 5.28.1 or later to mitigate the risk.

How do I fix CVE-2026-26289 in PowerSYSTEM Center?

The recommended fix is to upgrade PowerSYSTEM Center to version 5.28.1 or later. As a temporary workaround, restrict access to the device account export API endpoint.

Is CVE-2026-26289 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26289. However, the vulnerability's severity warrants prompt remediation.

Where can I find the official PowerSYSTEM Center advisory for CVE-2026-26289?

Refer to the official PowerSYSTEM Center security advisory for detailed information and updates regarding CVE-2026-26289. Check the vendor's website or security notification channels.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
livefree scan

Probeer het nu — geen account

Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...