Mender Enterprise Server CVE-2026-33552
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control.
AnalysisAI
Incorrect access control in Northern.tech Mender Enterprise Server before 4.1.1 allows remote unauthenticated attackers to gain limited confidential data exposure under high-complexity conditions. Classified under CWE-269 (Improper Privilege Management) and tagged as a Privilege Escalation vector, the flaw introduces an unauthorized access path to restricted resources, though impact is constrained to low confidentiality loss with no integrity or availability consequence. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects a minimal probability of imminent widespread exploitation.
Technical ContextAI
Mender Enterprise Server is Northern.tech's commercial IoT over-the-air (OTA) device update management platform. The vulnerability is rooted in CWE-269 (Improper Privilege Management), a class of flaw where access control logic fails to correctly enforce privilege boundaries - allowing actors to access resources or capabilities beyond their intended authorization level. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates the flaw is reachable over the network without authentication, but the high attack complexity (AC:H) implies that exploitation requires meeting specific, difficult-to-reproduce preconditions such as a race condition, a particular configuration state, or a protocol-level constraint. The provided CPE string (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is a placeholder and offers no actionable product scoping; affected versions are instead derived from the vendor description and advisory reference.
RemediationAI
Upgrade Northern.tech Mender Enterprise Server to version 4.1.1 or later, which is confirmed as the vendor-released fix per the advisory at https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server. If an immediate upgrade is not feasible, consider restricting network access to the Mender Server API to trusted IP ranges or internal networks only, which directly addresses the network-accessible attack vector (AV:N) and raises the effective bar for exploitation beyond the already-high AC:H. Note that IP allowlisting is a compensating control with operational trade-offs in dynamic or cloud-hosted deployments. Given that a companion vulnerability (CVE-2026-49009, input sanitization) was patched in the same release, upgrading to 4.1.1 addresses both issues simultaneously and is strongly preferred over any workaround.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today