Skip to main content

Peplink InControl EUVDEUVD-2026-39651

| CVE-2026-57920 HIGH
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (CWE-551)
2026-06-26 mitre GHSA-69xh-mqwf-cxv2
7.7
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Authenticated low-privilege user (PR:L) sends a network request with simple semicolon trick (AC:L); cross-tenant access changes scope (S:C) and discloses other orgs' data (C:H), with no integrity/availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 14:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:20 vuln.today

DescriptionCVE.org

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.

AnalysisAI

{orgId} REST endpoints they should not be able to access by appending a semicolon to the request path. With a scope-changing CVSS of 7.7 and confidentiality impact, a low-privileged tenant could read data belonging to other organizations managed by the same platform. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege InControl user
Delivery
Identify target /rest/o/{orgId} endpoint
Exploit
Append semicolon to bypass access-control rule
Execution
Backend serves protected org resource
Impact
Exfiltrate cross-organization data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account on the InControl 2 platform (CVSS PR:L) and network access to its REST API; it specifically targets /rest/o/{orgId} endpoints and depends on inserting a semicolon into the request path to desynchronize the access-control rule from the actual route. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N = 7.7) is internally consistent with the description: network-reachable, low complexity, requires some authentication (PR:L), no user interaction, scope-changed because the bypass crosses organizational/tenant boundaries, and high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user belonging to one organization in a shared InControl 2 deployment sends an API request to a /rest/o/{orgId} endpoint for an organization they do not belong to, appending a semicolon to the path so the access-control filter skips its check while the backend still serves the resource. Because attack complexity is low and only basic authentication is needed, the attacker can iterate across org IDs to harvest other tenants' configuration and device data. …
Remediation Ensure InControl 2 is running a build dated 2026-06-03 or later, which contains the fix; the input does not provide a semantic version number for the patched release, so confirm the exact build with Peplink. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy WAF or API gateway rules to block path traversal patterns (semicolons and special characters in REST endpoint paths); implement strict input validation to normalize path parameters before routing. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy