Skip to main content

MyComplianceOffice MCO EUVDEUVD-2026-40950

| CVE-2026-53904 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-07-01 CERT-PL GHSA-4p9c-w7qw-q5pq
6.3
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable with no auth, but AC:H for the security question prerequisite; impact is solely low availability with no confidentiality or integrity loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 13:23 vuln.today
CVE Published
Jul 01, 2026 - 11:58 cve.org
MEDIUM 6.3

DescriptionCVE.org

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who provides victim's email and answer to their security question, can successfully initiate the reset process and continuously invalidate credentials, effectively locking the victim out of their account. Answering security questions has a limited number of tries which lowers the risk of this vulnerability.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

AnalysisAI

Account denial-of-service in MyComplianceOffice MCO 25.3.3.1 enables a remote attacker to permanently lock a targeted user out of their account by repeatedly triggering password resets. MCO's reset mechanism invalidates all previously set passwords and temporary credentials on every reset cycle, and imposes no rate limit on how frequently resets can be initiated - so once an attacker supplies the victim's email and a valid security question answer, they can sustain the lockout indefinitely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Collect victim email via OSINT or internal knowledge
Delivery
Identify or socially engineer security question answer
Exploit
Submit password reset request via MCO web interface
Execution
Victim credentials invalidated immediately
Persist
Repeat reset requests continuously
Impact
Victim locked out of account indefinitely

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete prerequisites: the attacker must know the victim's registered email address in MCO, and must be able to correctly answer the victim's security question. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AV:N/AC:H/PR:N captures the threat accurately: the attack is remotely executable with no prior authentication, but attack complexity is genuinely high because the adversary must independently obtain the correct answer to the victim's security question - a fixed shared secret, but not publicly enumerable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a specific MCO user - for example, a compliance officer at a regulated financial firm - obtains the victim's email address and social-engineers or pre-knows the answer to their security question. The attacker submits repeated password reset requests via the MCO web interface; each reset silently invalidates the victim's current password and any active temporary credentials, locking the victim out instantly and re-locking them any time they recover. …
Remediation No vendor-released patch has been identified at time of analysis - vendor contact attempts by CERT-PL were unsuccessful, and no advisory has been issued. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy