Skip to main content

CFEngine Enterprise CVE-2026-24711

| EUVDEUVD-2026-30278 MEDIUM
Improper Access Control (CWE-284)
2026-05-14 mitre GHSA-6276-886h-gjhr
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 16:31 vuln.today
CVSS changed
May 15, 2026 - 14:22 NVD
5.3 (MEDIUM)
CVE Published
May 14, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.

AnalysisAI

Unauthenticated remote information disclosure in CFEngine Enterprise (versions before 3.21.8, 3.24.3, and 3.27.0) allows network attackers to access sensitive data via incorrect access control implementation. The CVSS vector indicates network-accessible exploitation without authentication (AV:N/PR:N) with low attack complexity, enabling automated scanning and exploitation. EPSS probability is low (0.02%, 5th percentile), suggesting limited attacker interest to date, though the authentication bypass tag indicates the vulnerability could expose sensitive configuration or operational data. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Technical ContextAI

CFEngine Enterprise is an infrastructure automation and configuration management platform developed by Northern.tech. This vulnerability stems from CWE-284 (Improper Access Control), indicating insufficient authorization checks that allow unauthorized access to protected resources or information. The CVSS vector reveals the flaw is exploitable over the network without requiring authentication (PR:N) or user interaction (UI:N), with low complexity (AC:L), meaning standard exploitation techniques work reliably. The confidentiality impact is low (C:L) with no integrity or availability impact, suggesting the access control flaw exposes specific information rather than enabling full system compromise. The authentication bypass tag confirms the vulnerability circumvents normal authentication mechanisms to access restricted data or functionality within the CFEngine management infrastructure.

RemediationAI

Upgrade to patched versions immediately: CFEngine Enterprise 3.21.8 or later for 3.21.x deployments, 3.24.3 or later for 3.24.x deployments, or 3.27.0 or later for 3.27.x deployments. Consult the vendor advisory at https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for complete upgrade procedures and any breaking changes. If immediate patching is not feasible, implement network-level access controls restricting CFEngine Enterprise management interfaces to trusted IP ranges or administrative VLANs only, blocking public internet access entirely. This compensating control prevents unauthenticated remote exploitation but requires careful firewall rule configuration and may impact legitimate remote administration workflows requiring VPN access. Monitor CFEngine logs for unexpected authentication attempts or access to sensitive endpoints during the remediation window. Note that network restrictions do not address the underlying access control flaw and should be considered temporary mitigation only.

Share

CVE-2026-24711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy