Skip to main content

Mender Enterprise Server CVE-2026-33552

LOW
Improper Privilege Management (CWE-269)
2026-05-27 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 14:24 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
3.7 (LOW)
CVE Published
May 27, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control.

AnalysisAI

Incorrect access control in Northern.tech Mender Enterprise Server before 4.1.1 allows remote unauthenticated attackers to gain limited confidential data exposure under high-complexity conditions. Classified under CWE-269 (Improper Privilege Management) and tagged as a Privilege Escalation vector, the flaw introduces an unauthorized access path to restricted resources, though impact is constrained to low confidentiality loss with no integrity or availability consequence. No public exploit code exists and no active exploitation has been confirmed; EPSS of 0.02% (5th percentile) reflects a minimal probability of imminent widespread exploitation.

Technical ContextAI

Mender Enterprise Server is Northern.tech's commercial IoT over-the-air (OTA) device update management platform. The vulnerability is rooted in CWE-269 (Improper Privilege Management), a class of flaw where access control logic fails to correctly enforce privilege boundaries - allowing actors to access resources or capabilities beyond their intended authorization level. The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates the flaw is reachable over the network without authentication, but the high attack complexity (AC:H) implies that exploitation requires meeting specific, difficult-to-reproduce preconditions such as a race condition, a particular configuration state, or a protocol-level constraint. The provided CPE string (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is a placeholder and offers no actionable product scoping; affected versions are instead derived from the vendor description and advisory reference.

RemediationAI

Upgrade Northern.tech Mender Enterprise Server to version 4.1.1 or later, which is confirmed as the vendor-released fix per the advisory at https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server. If an immediate upgrade is not feasible, consider restricting network access to the Mender Server API to trusted IP ranges or internal networks only, which directly addresses the network-accessible attack vector (AV:N) and raises the effective bar for exploitation beyond the already-high AC:H. Note that IP allowlisting is a compensating control with operational trade-offs in dynamic or cloud-hosted deployments. Given that a companion vulnerability (CVE-2026-49009, input sanitization) was patched in the same release, upgrading to 4.1.1 addresses both issues simultaneously and is strongly preferred over any workaround.

Share

CVE-2026-33552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy