Skip to main content

Universal Plug CVE-2026-32214

| EUVDEUVD-2026-22595 MEDIUM
Improper Access Control (CWE-284)
2026-04-14 microsoft GHSA-g4ph-p8r8-x8fc
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22595
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
MEDIUM 5.5

DescriptionCVE.org

Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.

AnalysisAI

Improper access control in Universal Plug and Play (upnp.dll) on Windows allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (versions 22H3, 23H2, 24H2, 25H2, 26H1), and Windows Server 2012-2025. Microsoft has released patches available through their security update guide; no public exploit code or active exploitation has been reported at time of analysis.

Technical ContextAI

Universal Plug and Play (UPnP) is a network protocol implemented via upnp.dll on Windows systems that enables automatic device discovery and configuration. The vulnerability stems from improper access control in this library, categorized under CWE-284 (Improper Access Control), which occurs when the application does not properly enforce restrictions on who can access specific resources or functionality. The flaw allows a local authenticated user with low privileges (PR:L per CVSS vector) to bypass intended access restrictions and read sensitive information that should be restricted to higher privilege levels or specific users. This is a common pattern in privilege escalation or information disclosure attacks targeting system libraries where permission checks are insufficiently enforced at the API or resource level.

RemediationAI

Vendor-released patch: Microsoft has released security updates addressing this vulnerability across all affected Windows versions. Administrators should apply the latest cumulative updates or monthly security updates from the Microsoft Security Response Center (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32214) corresponding to each affected Windows version. For Windows 10, ensure installation of updates that bring build numbers to or above: 1607 (14393.9060), 1809 (17763.8644), 21H2 (19044.7184), and 22H2 (19045.7184). For Windows 11, apply updates to reach: 22H3 (22631.6936), 23H2 (22631.6936), 24H2 (26100.32690), 25H2 (26200.8246), and 26H1 (28000.1836). For Windows Server versions, update to: 2012/R2 (9600.23132), 2016 (14393.9060), 2019 (17763.8644), 2022 (20348.5020 or 23H2 25398.2274), and 2025 (26100.32690). As an interim mitigation prior to patching, restrict local user account privileges and audit UPnP service access controls where feasible. Enable Windows Update to ensure automatic patching of future security issues.

Share

CVE-2026-32214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy