Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Authenticated low-privilege user (PR:L) sends a network request with simple semicolon trick (AC:L); cross-tenant access changes scope (S:C) and discloses other orgs' data (C:H), with no integrity/availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
AnalysisAI
{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account on the InControl 2 platform (CVSS PR:L) and network access to its REST API; it specifically targets /rest/o/{orgId} endpoints and depends on inserting a semicolon into the request path to desynchronize the access-control rule from the actual route. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N = 7.7) is internally consistent with the description: network-reachable, low complexity, requires some authentication (PR:L), no user interaction, scope-changed because the bypass crosses organizational/tenant boundaries, and high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user belonging to one organization in a shared InControl 2 deployment sends an API request to a /rest/o/{orgId} endpoint for an organization they do not belong to, appending a semicolon to the path so the access-control filter skips its check while the backend still serves the resource. Because attack complexity is low and only basic authentication is needed, the attacker can iterate across org IDs to harvest other tenants' configuration and device data. … |
| Remediation | Ensure InControl 2 is running a build dated 2026-06-03 or later, which contains the fix; the input does not provide a semantic version number for the patched release, so confirm the exact build with Peplink. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Deploy WAF or API gateway rules to block path traversal patterns (semicolons and special characters in REST endpoint paths); implement strict input validation to normalize path parameters before routing. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39651
GHSA-69xh-mqwf-cxv2