CVE Catalog

CVE-2026-53905

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

The vulnerability in MCO is due to improper authorization enforcement in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated low-privileged user can retrieve administrator access control structures, potentially exposing sensitive permission mappings and internal configuration details.

Risk Assessment

The risk involves potential privilege escalation through unauthorized access to administrator ACL structures, which may lead to leakage of confidential configuration data and permission mappings.

Recommendation

It is recommended to immediately apply security patches from the vendor or temporarily restrict access to the endpoint via firewall rules and request filtering.

Original NVD description (English source)

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS