CVE-2026-53902: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group memb
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.
An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-53902
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-539020.21% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 11% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53902 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for MCO does not
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-53909: MCO does not correctly validate types of uploaded files. File upload validation functionality …nvd · 2026-07-01
- mediumCVE-2026-53908: MCO is vulnerable to User Enumeration through authentication-related functionalities. The appl…nvd · 2026-07-01
- mediumCVE-2026-53907: MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functio…nvd · 2026-07-01
- highCVE-2026-53906: MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related…nvd · 2026-07-01
- highCVE-2026-53905: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-v…nvd · 2026-07-01
- highCVE-2026-53904: MCO is vulnerable to Account Denial of Service due to improper implementation of password rese…nvd · 2026-07-01
More from NVD Recent CVEs
- mediumCVE-2026-15475: A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element i…2026-07-12
- mediumCVE-2026-15474: A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an un…2026-07-12
- mediumCVE-2026-15473: A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects som…2026-07-12
- mediumCVE-2026-15472: A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability aff…2026-07-12
- mediumCVE-2026-15471: A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown par…2026-07-12