Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized user.This issue was fixed in Hydrosystem Control System version 9.8.5
AnalysisAI
Hydrosystem Control System versions prior to 9.8.5 log user credentials in plaintext to accessible log files, enabling authenticated attackers with administrative privileges to extract valid credentials for lateral movement and privilege escalation. This vulnerability is particularly critical when chained with CVE-2026-34184, which may enable unauthorized access to those logged credentials. CVSS score of 6.9 reflects the high confidentiality impact restricted to authenticated administrative users; no public exploit code or active exploitation has been confirmed.
Technical ContextAI
This vulnerability stems from insecure logging practices (CWE-532: Insertion of Sensitive Information into Log File) in the Hydrosystem Control System application. The root cause is the failure to implement log sanitization or credential masking during the logging process. User credentials-including usernames and passwords or authentication tokens-are written in plaintext to log files that may be accessible to system administrators or other privileged users. The CVSS vector indicates network-accessible exposure (AV:N) with low attack complexity (AC:L) but requires high privileges (PR:H), limiting the immediate threat to already-compromised or malicious administrators. The chaining reference to CVE-2026-34184 suggests a secondary vulnerability may provide unauthorized access to these log files, significantly amplifying the risk in multi-vulnerability exploitation chains.
RemediationAI
Vendor-released patch: upgrade to Hydrosystem Control System version 9.8.5 or later, which addresses the credential logging vulnerability. Organizations unable to upgrade immediately should restrict log file access to the minimum necessary privileged users and implement file-level access controls (e.g., Unix permissions, SELinux) to prevent unauthorized log inspection. Review log retention policies and consider redacting or archiving logs containing sensitive information. Given the chaining risk with CVE-2026-34184, prioritize assessment of that vulnerability's patch status and apply both fixes in sequence. Consult https://www.hydrosystem.poznan.pl/ for upgrade instructions and https://cert.pl/posts/2026/04/CVE-2026-4901/ for additional mitigation guidance.
More in Control System
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20888
GHSA-f43w-3fr5-h2m3