Skip to main content

Security Center CVE-2026-2697

LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-02-23 vulnreport@tenable.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 23, 2026 - 16:29 nvd
MEDIUM 6.3

DescriptionCVE.org

An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

AnalysisAI

Authenticated users of Security Center can manipulate the 'owner' parameter to gain unauthorized elevated privileges through an indirect object reference flaw. This network-accessible vulnerability requires valid credentials but no user interaction, enabling privilege escalation attacks with moderate impact on confidentiality, integrity, and availability. No patch is currently available.

Technical ContextAI

Classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Affects Security Center. An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-2697 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy