Skip to main content

Progress Flowmon EUVDEUVD-2026-41375

| CVE-2026-8079 HIGH
Incorrect Authorization (CWE-863)
2026-07-02 ProgressSoftware GHSA-m362-439h-2w4j
8.7
CVSS 4.0 · Vendor: ProgressSoftware
Share

Severity by source

Vendor (ProgressSoftware) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-reachable with only a low-privileged account and no user interaction (AV:N/AC:L/PR:L/UI:N); confused-deputy authorization flaw yields high confidentiality and integrity impact with limited availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (ProgressSoftware).

CVSS VectorVendor: ProgressSoftware

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 14:45 vuln.today

DescriptionCVE.org

In Progress Flowmon versions prior to 12.5.9 and 13.0.10, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration.

AnalysisAI

Privilege escalation via incorrect authorization in Progress Flowmon lets an authenticated low-privileged user abuse the PDF generation workflow to have operations executed under another user's identity, exposing sensitive data and permitting unauthorized configuration changes. It affects all Flowmon releases before 12.5.9 (12.x branch) and before 13.0.10 (13.x branch). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Flowmon user
Delivery
Craft malicious PDF-generation request
Exploit
Trigger incorrect authorization (confused deputy)
Execution
Operation runs as higher-privileged user
Impact
Read sensitive data and alter system configuration

Vulnerability AssessmentAI

Exploitation Requires an authenticated, low-privileged Flowmon user account (CVSS PR:L) with access to the report/PDF generation functionality; the malicious request must be crafted specifically during the PDF generation process, which is the exact feature that mis-attributes the operation to another user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality and integrity impact - a credible priority for any environment where Flowmon accounts are broadly provisioned, since any authenticated low-tier user is a potential attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Flowmon user who can log in to the console submits a specially crafted request through the PDF report generation flow so that the backend performs the operation under a higher-privileged user's context, returning data or applying configuration changes the attacker is not entitled to. No public proof-of-concept is available, but the low attack complexity and lack of required user interaction (AC:L/UI:N) mean a valid account is the main prerequisite.
Remediation Upgrade to a fixed release: Flowmon 12.5.9 or later on the 12.x branch, or 13.0.10 or later on the 13.x branch, per the vendor advisory at https://community.progress.com/s/article/Flowmon-CVE-2026-8079 (Vendor-released patch: 12.5.9 / 13.0.10). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Flowmon 12.x (before 12.5.9) or 13.x (before 13.0.10); restrict low-privileged user access to PDF generation features through role-based access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy