Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:M/U:X
Network-reachable API (AV:N), low complexity decoding trick (AC:L), requires any valid Chef 360 account (PR:L), no user interaction; scope changes as a low-priv principal gains admin authority, yielding full C/I/A impact.
Primary rating from Vendor (ProgressSoftware).
CVSS VectorVendor: ProgressSoftware
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:M/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.
AnalysisAI
Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at least low-privilege credentials to the Chef 360 API (CVSS PR:L), network reachability to the Chef 360 HTTP endpoint (AV:N), and the ability to send requests containing URL-encoded path sequences that survive into the routing layer - the description explicitly attributes the bypass to 'improper handling of URL-encoded paths during request processing.' No user interaction is required (UI:N) and the vendor states the attack is automatable (AU:Y). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 8.6 (High) reflects network-reachable exploitation (AV:N), low complexity (AC:L), and low-privilege authentication (PR:L) with high impact to vulnerable and subsequent systems (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains or is issued a low-privilege Chef 360 account (for example, a read-only operator) crafts an HTTP request whose URL path contains percent-encoded traversal sequences targeting an administrative API endpoint. Because authorization is evaluated on the non-canonicalized path, the request passes the access check as if it were aimed at a permitted route, but after decoding it is dispatched to the privileged handler, granting the attacker administrative actions such as modifying node configurations or extracting secrets. … |
| Remediation | Vendor-released patch: Chef 360 1.7.1 - upgrade all Chef 360 deployments to version 1.7.1 or later, which adds strict URL path normalization before authorization checks per the Progress advisory at https://community.progress.com/s/article/Authentication-Bypass-via-URL-Encoded-Path-Traversal. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Chef 360 instances and document current versions deployed in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37955
GHSA-36qg-x8h8-59g2