CVE-2026-26289: Information Disclosure in PowerSYSTEM Center
Plataforma
other
Componente
subnet-solutions-powersystem-center
Corrigido em
5.28.1
CVE-2026-26289 describes an information disclosure vulnerability within the PowerSYSTEM Center REST API. This flaw allows authenticated users with limited permissions to export sensitive data that is normally restricted to administrative roles. The vulnerability impacts versions 5.8.0 through 7.0.x of PowerSYSTEM Center and has been resolved in version 5.28.1.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.
Contexto de Exploraçãotraduzindo…
CVE-2026-26289 was published on May 12, 2026. The vulnerability's severity is rated HIGH (CVSS 8.2). Currently, there are no publicly available proof-of-concept (POC) exploits. The EPSS score is pending evaluation. It is recommended to prioritize remediation due to the potential for sensitive data exposure.
Inteligência de Ameaças
Status do Exploit
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Adjacente — exige proximidade de rede: mesma LAN, Bluetooth ou segmento local.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Baixo — negação de serviço parcial ou intermitente.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Publicada
- Modificada
Mitigação e Soluções Alternativastraduzindo…
The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.
Como corrigirtraduzindo…
Actualice PowerSYSTEM Center a la versión 5.28.1 o posterior, 6.1.1 o posterior, o 7.0.0 o posterior para mitigar la vulnerabilidad. Esta actualización corrige el problema de autorización incorrecta en la API REST de exportación de cuentas de dispositivos, evitando la exposición de información sensible.
Perguntas frequentestraduzindo…
What is CVE-2026-26289 — Information Disclosure in PowerSYSTEM Center?
CVE-2026-26289 is a HIGH severity vulnerability affecting PowerSYSTEM Center versions 5.8.0–7.0.x. It allows authenticated users with limited permissions to export sensitive data via the REST API, bypassing administrative restrictions.
Am I affected by CVE-2026-26289 in PowerSYSTEM Center?
You are affected if you are running PowerSYSTEM Center versions 5.8.0 through 7.0.x. Check your version and upgrade to 5.28.1 or later to mitigate the risk.
How do I fix CVE-2026-26289 in PowerSYSTEM Center?
The recommended fix is to upgrade PowerSYSTEM Center to version 5.28.1 or later. As a temporary workaround, restrict access to the device account export API endpoint.
Is CVE-2026-26289 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-26289. However, the vulnerability's severity warrants prompt remediation.
Where can I find the official PowerSYSTEM Center advisory for CVE-2026-26289?
Refer to the official PowerSYSTEM Center security advisory for detailed information and updates regarding CVE-2026-26289. Check the vendor's website or security notification channels.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...