Skip to main content

Plesk CVE-2026-56843

| EUVDEUVD-2026-42144 CRITICAL
Insufficiently Protected Credentials (CWE-522)
2026-07-08 hackerone GHSA-m4rp-7vj2-ggpc
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Authenticated low-priv customer (PR:L) over the network with low complexity crosses the tenant trust boundary (S:C), leaking credentials (C:H) that enable code execution as another user (I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 02:01 EUVD
Analysis Generated
Jul 08, 2026 - 01:22 vuln.today

DescriptionCVE.org

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

AnalysisAI

Cross-tenant credential disclosure in WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to enumerate domains belonging to other tenants through the XML-RPC API, because ownership checks are applied only to certain lookup filters and schema validation is skipped for legacy protocol versions. Because affected FTP credentials are stored in cleartext, an attacker retrieves another tenant's FTP password and can pivot to executing code as that tenant's system user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Plesk customer account
Delivery
Call XML-RPC domain lookup with legacy protocol version
Exploit
Bypass ownership check and schema validation
Execution
Read other tenants' cleartext FTP credentials
Persist
Authenticate over FTP as victim system user
Impact
Execute code as another tenant

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged Plesk customer account on the target server (PR:L) and the ability to reach the XML-RPC API over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine high priority rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged customer on a shared Plesk server authenticates to the XML-RPC API and issues a domain-lookup request using a legacy protocol version and a filter that skips the ownership check, returning domain records owned by other tenants along with their cleartext FTP credentials. The attacker logs in over FTP as a victim tenant's system user and drops or modifies files, achieving code execution in the victim's context. …
Remediation Vendor-released patch: update to Plesk 18.0.78.4 or later, which restores ownership enforcement across all XML-RPC lookup filters and closes the legacy-protocol schema-validation bypass; refer to https://support.plesk.com/hc/en-us/articles/41178305151255-Vulnerability-in-Plesk-XML-API-Cleartext-FTP-Password-Exposure for the authoritative guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Plesk deployments and determine which operate in multi-tenant mode; review XML-RPC API access logs for domain enumeration activity from low-privilege accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy