Security Center
CVE-2026-2697
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
AnalysisAI
Authenticated users of Security Center can manipulate the 'owner' parameter to gain unauthorized elevated privileges through an indirect object reference flaw. This network-accessible vulnerability requires valid credentials but no user interaction, enabling privilege escalation attacks with moderate impact on confidentiality, integrity, and availability. No patch is currently available.
Technical ContextAI
Classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Affects Security Center. An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in Security Center
View allSQL Injection in the Hardware Inventory report of Security Center 5.11.2. Rated high severity (CVSS 8.8), this vulnerabi
Installers of Kaspersky Security Center and Kaspersky Security Center Web Console prior to 12 & prior to 12 Patch A were
A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Se
Security Center's access control implementation fails to properly restrict authenticated users to their authorized scope
An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker
A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker co
An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Secu
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today