Skip to main content

MyComplianceOffice MCO CVE-2026-53905

| EUVDEUVD-2026-40951 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-01 CERT-PL GHSA-4hjp-j24w-p3rr
5.3
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable endpoint requiring a low-privilege session only; read-only ACL data disclosure with no integrity, availability, or scope-change impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 13:23 vuln.today
CVE Published
Jul 01, 2026 - 11:58 cve.org
MEDIUM 5.3

DescriptionCVE.org

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

AnalysisAI

MCO's compliance management platform exposes administrator ACL tree structures to any authenticated low-privileged user via a missing authorization check on the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure web API endpoint. Confirmed by CERT-PL in version 25.3.3.1, the flaw allows low-privileged users to retrieve permission hierarchies and internal configuration details intended only for administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged MCO user credentials
Delivery
Authenticate to MCO platform
Exploit
Send GET request to admin ACL hierarchy endpoint
Execution
Receive unrestricted admin ACL tree data
Impact
Map administrator roles and permission boundaries

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at minimum low-privileged access to the MCO platform (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) is well-supported by the available signals: AV:N (network reachable), AC:L (no special conditions), PR:L (requires a valid low-privilege account), and VC:L (low confidentiality impact limited to ACL structure data). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MCO user with a standard low-privileged account issues a direct HTTP request to `/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure` using their session credentials. The server returns the full administrator ACL tree without validating the caller's authorization level, exposing role hierarchies and permission mappings. …
Remediation No vendor-released patch has been identified at time of analysis due to unsuccessful vendor contact attempts by CERT-PL. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy