Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
AnalysisAI
Unauthenticated remote information disclosure in CFEngine Enterprise (versions before 3.21.8, 3.24.3, and 3.27.0) allows network attackers to access sensitive data via incorrect access control implementation. The CVSS vector indicates network-accessible exploitation without authentication (AV:N/PR:N) with low attack complexity, enabling automated scanning and exploitation. EPSS probability is low (0.02%, 5th percentile), suggesting limited attacker interest to date, though the authentication bypass tag indicates the vulnerability could expose sensitive configuration or operational data. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Technical ContextAI
CFEngine Enterprise is an infrastructure automation and configuration management platform developed by Northern.tech. This vulnerability stems from CWE-284 (Improper Access Control), indicating insufficient authorization checks that allow unauthorized access to protected resources or information. The CVSS vector reveals the flaw is exploitable over the network without requiring authentication (PR:N) or user interaction (UI:N), with low complexity (AC:L), meaning standard exploitation techniques work reliably. The confidentiality impact is low (C:L) with no integrity or availability impact, suggesting the access control flaw exposes specific information rather than enabling full system compromise. The authentication bypass tag confirms the vulnerability circumvents normal authentication mechanisms to access restricted data or functionality within the CFEngine management infrastructure.
RemediationAI
Upgrade to patched versions immediately: CFEngine Enterprise 3.21.8 or later for 3.21.x deployments, 3.24.3 or later for 3.24.x deployments, or 3.27.0 or later for 3.27.x deployments. Consult the vendor advisory at https://cfengine.com/blog/2026/cve-2026-24710-and-cve-2026-24711-and-cve-2026-24712/ for complete upgrade procedures and any breaking changes. If immediate patching is not feasible, implement network-level access controls restricting CFEngine Enterprise management interfaces to trusted IP ranges or administrative VLANs only, blocking public internet access entirely. This compensating control prevents unauthenticated remote exploitation but requires careful firewall rule configuration and may impact legitimate remote administration workflows requiring VPN access. Monitor CFEngine logs for unexpected authentication attempts or access to sensitive endpoints during the remediation window. Note that network restrictions do not address the underlying access control flaw and should be considered temporary mitigation only.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30278
GHSA-6276-886h-gjhr