Skip to main content

Chef 360 CVE-2026-8100

| EUVDEUVD-2026-37955 HIGH
Relative Path Traversal (CWE-23)
2026-06-18 ProgressSoftware GHSA-36qg-x8h8-59g2
8.6
CVSS 4.0 · Vendor: ProgressSoftware
Share

Severity by source

Vendor (ProgressSoftware) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:M/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable API (AV:N), low complexity decoding trick (AC:L), requires any valid Chef 360 account (PR:L), no user interaction; scope changes as a low-priv principal gains admin authority, yielding full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (ProgressSoftware).

CVSS VectorVendor: ProgressSoftware

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
N

Lifecycle Timeline

3
Patch available
Jun 18, 2026 - 23:16 EUVD
Analysis Generated
Jun 18, 2026 - 22:16 vuln.today
CVE Published
Jun 18, 2026 - 21:18 cve.org
HIGH 8.6

DescriptionCVE.org

Impact

A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks.  Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.

AnalysisAI

Authorization bypass in Progress Chef 360 prior to version 1.7.1 allows authenticated users to access higher-privileged API endpoints by exploiting improper URL-encoded path handling during request processing. The flaw is a path traversal/normalization weakness (CWE-23) that lets standard access controls be circumvented before authorization checks run. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Chef 360 credentials
Delivery
Reach Chef 360 API over network
Exploit
Craft URL-encoded path targeting admin endpoint
Execution
Bypass authorization via path mismatch
Persist
Invoke privileged API handler
Impact
Modify configuration or exfiltrate secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privilege credentials to the Chef 360 API (CVSS PR:L), network reachability to the Chef 360 HTTP endpoint (AV:N), and the ability to send requests containing URL-encoded path sequences that survive into the routing layer - the description explicitly attributes the bypass to 'improper handling of URL-encoded paths during request processing.' No user interaction is required (UI:N) and the vendor states the attack is automatable (AU:Y). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 8.6 (High) reflects network-reachable exploitation (AV:N), low complexity (AC:L), and low-privilege authentication (PR:L) with high impact to vulnerable and subsequent systems (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains or is issued a low-privilege Chef 360 account (for example, a read-only operator) crafts an HTTP request whose URL path contains percent-encoded traversal sequences targeting an administrative API endpoint. Because authorization is evaluated on the non-canonicalized path, the request passes the access check as if it were aimed at a permitted route, but after decoding it is dispatched to the privileged handler, granting the attacker administrative actions such as modifying node configurations or extracting secrets. …
Remediation Vendor-released patch: Chef 360 1.7.1 - upgrade all Chef 360 deployments to version 1.7.1 or later, which adds strict URL path normalization before authorization checks per the Progress advisory at https://community.progress.com/s/article/Authentication-Bypass-via-URL-Encoded-Path-Traversal. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Chef 360 instances and document current versions deployed in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy