Skip to main content

BMC Control-M CVE-2026-23782

| EUVDEUVD-2026-21371 HIGH
Improper Access Control (CWE-284)
2026-04-10 mitre GHSA-83mf-f2q6-j3gg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:24 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 10, 2026 - 14:45 euvd
EUVD-2026-21371
CVE Published
Apr 10, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.

AnalysisAI

BMC Control-M/MFT 9.0.20-9.0.22 exposes API identifiers and secret values to unauthenticated remote attackers via an API management endpoint, enabling unauthorized invocation of privileged API operations. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible, low-complexity exploitation requiring no authentication. Despite a 7.5 CVSS score, EPSS probability is minimal (0.03%, 8th percentile), and no public exploit or active exploitation (non-KEV) is identified at time of analysis.

Technical ContextAI

Control-M/MFT is BMC's managed file transfer solution within the Control-M Orchestration suite. The vulnerability stems from improper access control (CWE-284) on an API management endpoint that exposes both API client identifiers and their corresponding secret credentials without requiring authentication. In typical OAuth2/API key architectures, client secrets must be protected as they function like passwords for programmatic access. This endpoint failure allows trivial credential harvesting. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates any remote attacker can retrieve these secrets via simple HTTP requests without user interaction. The S:U (unchanged scope) suggests exploitation remains within the vulnerable component's authorization boundary, though the C:H (high confidentiality impact) confirms significant data exposure. Available CPE data is non-specific, but vendor advisory references confirm the affected product as Control-M/MFT versions 9.0.20, 9.0.21, and 9.0.22.

RemediationAI

Apply vendor-released patch documented in BMC Control-M Server PACTV-9-0-21-308 or later maintenance release as referenced in https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-308. Organizations running 9.0.20 or 9.0.22 should consult BMC's issue and defect management portal at https://www.bmc.com/support/resources/issue-defect-management.html to identify equivalent patches for their specific version. As an interim compensating control, restrict network access to Control-M/MFT API management endpoints using firewall rules or application-layer access controls to trusted administrative IP ranges only. Review API access logs for unauthorized credential retrieval attempts (GET requests to API management endpoints from unexpected sources) and rotate any potentially exposed API secrets. Organizations unable to patch immediately should consider temporarily disabling the vulnerable API management endpoint if business continuity permits, pending patch deployment.

Share

CVE-2026-23782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy