Skip to main content

MCO EUVDEUVD-2026-40948

| CVE-2026-53902 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-07-01 CERT-PL GHSA-rgv6-j8h9-46fv
7.1
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable endpoint (AV:N), simple request (AC:L), needs an existing low-priv account (PR:L), no interaction; unauthorized group changes give high integrity, low confidentiality, no availability, scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 13:22 vuln.today
CVE Published
Jul 01, 2026 - 11:58 cve.org
HIGH 7.1

DescriptionCVE.org

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

AnalysisAI

Privilege escalation in MyComplianceOffice (MCO) compliance platform version 25.3.3.1 lets an authenticated user add themselves to arbitrary groups via the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint, which fails to enforce authorization on group changes. By supplying a valid group ID - obtainable through the application's own group picker API or guessable via brute force - a low-privileged account can inherit the permissions of higher-privileged groups. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privileged MCO account
Delivery
Enumerate group IDs via group picker endpoint
Exploit
Send crafted request to group-membership endpoint
Execution
Add self to privileged group
Impact
Inherit elevated permissions

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated MCO account (CVSS PR:L) that can reach the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint over the network (AV:N), plus a valid target group ID. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.1 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N, indicating a network-reachable, low-complexity attack requiring low privileges (an existing authenticated account) and no user interaction, yielding high integrity impact (unauthorized permission changes) with only low confidentiality and no availability impact - consistent with privilege escalation rather than data destruction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged employee, or an attacker who has compromised one standard user credential, logs into MCO, calls the group picker endpoint to list valid group IDs, then sends a crafted request to the group-membership endpoint adding their own account to a privileged group. With the missing authorization check the change succeeds and the attacker gains elevated permissions without admin approval. …
Remediation No vendor-released patch identified at time of analysis, as CERT-PL was unable to establish contact with MyComplianceOffice. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Confirm MCO version deployed and whether the vulnerable /group-membership endpoint is accessible; implement network or API gateway restrictions limiting endpoint access to authorized administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy