Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain (CMA) can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permissions, bypassing Role-Based Access Control (RBAC).
AnalysisAI
Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.
Technical ContextAI
The vulnerability resides in the Compliance module of Check Point Quantum Security Management (CPE: cpe:2.3:a:checkpoint:quantum_security_management:*:*:*:*:*:*:*:*), which is deployed in Multi-Domain Management (MDM) environments where multiple independent Management Domains (CMAs) are administered from a shared infrastructure. CWE-89 (SQL Injection) indicates that the Compliance Best Practices metadata - likely stored in a relational database backend shared across or insufficiently partitioned between CMAs - is vulnerable to SQL injection. An attacker-controlled metadata field submitted within one CMA context is not properly sanitized before being incorporated into a SQL query, enabling the injected payload to escape the domain boundary and reach rows belonging to another CMA. This breaks the foundational RBAC guarantee of MDM, where domain isolation is the primary security control preventing one CMA administrator from affecting another's environment.
RemediationAI
The primary fix is to upgrade to a patched Jumbo Hotfix Take for the relevant release train, per Check Point advisory sk184992 (https://support.checkpoint.com/results/sk/sk184992): for R82, apply Jumbo Hotfix Take 92 or later; for R81.20, apply Jumbo Hotfix Take 128 or later; for R82.10, apply Jumbo Hotfix Take 20 or later; R81.10 and below should be treated as end-of-supported-fix-path and upgraded to a current release. Exact hotfix take numbers for R81.10 and below are not independently confirmed from available data - consult the vendor advisory directly. As a compensating control if immediate patching is not possible, disable the Compliance feature within Multi-Domain Management to remove the vulnerable code path entirely; note this will suspend compliance reporting and Best Practices evaluation across all CMAs. Additionally, audit and restrict CMA administrator accounts to the minimum necessary domains, reducing the population of principals who could abuse this bypass. Patched version numbers are sourced from EUVD-2026-31823 and should be verified against the vendor advisory before deployment.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31823
GHSA-729m-hm3g-pgc3