Skip to main content

GRASSMARLIN CVE-2026-6807

| EUVDEUVD-2026-26135 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-04-28 icscert
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 28, 2026 - 20:06 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 19:30 euvd
EUVD-2026-26135
Analysis Generated
Apr 28, 2026 - 19:30 vuln.today
CVE Published
Apr 28, 2026 - 17:41 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. The flaw stems from insufficient hardening of the XML parsing process.

AnalysisAI

XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.

Technical ContextAI

GRASSMARLIN is an NSA-developed network visualization and analysis tool used in industrial control systems (ICS) environments. The vulnerability stems from CWE-611 (Improper Restriction of XML External Entity Reference), a well-known XML parsing flaw where the XML parser processes external entity declarations without proper validation or filtering. When the application parses crafted session data files (likely XML-formatted), an attacker can define malicious external entities that reference local system files, allowing unauthorized read access to sensitive data on the server filesystem. The flaw indicates the XML parser was instantiated without XXE protections such as disabling DOCTYPE declarations, external entity resolution, or schema validation.

RemediationAI

Upgrade GRASSMARLIN to a patched version released by NSA following CISA advisory ICSA-26-118-01; consult the advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01 for exact fixed version availability and timeline. If an immediate patch is unavailable, implement these compensating controls: (1) restrict GRASSMARLIN login access to a minimal set of trusted operator accounts via authentication system controls, reducing the number of potential attackers to those with valid credentials; (2) disable or restrict the application's ability to import external session files, if that feature can be disabled without breaking critical workflows; (3) monitor session file creation and XML parsing logs for suspicious DOCTYPE or SYSTEM declarations; (4) run GRASSMARLIN under an OS-level user account with minimal file system permissions, limiting data exposure to non-sensitive files only. Each control involves operational trade-offs - restricting imports may require manual session management, and minimal file permissions may break backup or reporting features.

Share

CVE-2026-6807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy