CVE-2026-26289: Information Disclosure in PowerSYSTEM Center

The primary impact of CVE-2026-26289 is the unauthorized exposure of sensitive data. An attacker, already authenticated within the PowerSYSTEM Center environment but lacking administrative privileges, can leverage the vulnerable REST API endpoint to extract information intended for administrative eyes only. This could include configuration details, user credentials, or other proprietary data. Successful exploitation could lead to a compromise of system security and potentially enable further malicious actions, such as privilege escalation or data exfiltration. The blast radius extends to any data accessible through the device account export functionality, potentially impacting multiple systems and users.

1. 发布日期2026-05-12
2. 修改日期2026-05-13

The primary mitigation for CVE-2026-26289 is to upgrade PowerSYSTEM Center to version 5.28.1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the device account export API endpoint using network segmentation or access control lists (ACLs) to limit exposure. Monitor API logs for unusual activity, specifically looking for requests originating from users with limited permissions attempting to access sensitive data. While a WAF may not directly prevent the vulnerability, it can be configured to detect and block suspicious API requests. After upgrading, confirm the vulnerability is resolved by attempting to export device accounts with a limited user account and verifying that access is denied.