Skip to main content

Quantum Security Management CVE-2026-48136

| EUVDEUVD-2026-31823 MEDIUM
SQL Injection (CWE-89)
2026-05-26 checkpoint GHSA-729m-hm3g-pgc3
4.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:18 vuln.today

DescriptionCVE.org

When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain (CMA) can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permissions, bypassing Role-Based Access Control (RBAC).

AnalysisAI

Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.

Technical ContextAI

The vulnerability resides in the Compliance module of Check Point Quantum Security Management (CPE: cpe:2.3:a:checkpoint:quantum_security_management:*:*:*:*:*:*:*:*), which is deployed in Multi-Domain Management (MDM) environments where multiple independent Management Domains (CMAs) are administered from a shared infrastructure. CWE-89 (SQL Injection) indicates that the Compliance Best Practices metadata - likely stored in a relational database backend shared across or insufficiently partitioned between CMAs - is vulnerable to SQL injection. An attacker-controlled metadata field submitted within one CMA context is not properly sanitized before being incorporated into a SQL query, enabling the injected payload to escape the domain boundary and reach rows belonging to another CMA. This breaks the foundational RBAC guarantee of MDM, where domain isolation is the primary security control preventing one CMA administrator from affecting another's environment.

RemediationAI

The primary fix is to upgrade to a patched Jumbo Hotfix Take for the relevant release train, per Check Point advisory sk184992 (https://support.checkpoint.com/results/sk/sk184992): for R82, apply Jumbo Hotfix Take 92 or later; for R81.20, apply Jumbo Hotfix Take 128 or later; for R82.10, apply Jumbo Hotfix Take 20 or later; R81.10 and below should be treated as end-of-supported-fix-path and upgraded to a current release. Exact hotfix take numbers for R81.10 and below are not independently confirmed from available data - consult the vendor advisory directly. As a compensating control if immediate patching is not possible, disable the Compliance feature within Multi-Domain Management to remove the vulnerable code path entirely; note this will suspend compliance reporting and Best Practices evaluation across all CMAs. Additionally, audit and restrict CMA administrator accounts to the minimum necessary domains, reducing the population of principals who could abuse this bypass. Patched version numbers are sourced from EUVD-2026-31823 and should be verified against the vendor advisory before deployment.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

CVE-2026-48136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy