CVE-2026-53905: MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user c
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks.
This may expose sensitive permission mappings and internal configuration details.
Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-53905
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-539050.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53905 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for MCO does not
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-53909: MCO does not correctly validate types of uploaded files. File upload validation functionality …nvd · 2026-07-01
- mediumCVE-2026-53908: MCO is vulnerable to User Enumeration through authentication-related functionalities. The appl…nvd · 2026-07-01
- mediumCVE-2026-53907: MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functio…nvd · 2026-07-01
- highCVE-2026-53906: MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related…nvd · 2026-07-01
- highCVE-2026-53904: MCO is vulnerable to Account Denial of Service due to improper implementation of password rese…nvd · 2026-07-01
- highCVE-2026-53903: MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer…nvd · 2026-07-01
More from NVD Recent CVEs
- mediumCVE-2026-15475: A weakness has been identified in MiniTool Partition Wizard up to 13.6. The affected element i…2026-07-12
- mediumCVE-2026-15474: A security flaw has been discovered in Eleveo Call Recording Software 9.7.0. Impacted is an un…2026-07-12
- mediumCVE-2026-15473: A vulnerability was identified in Eleveo Call Recording Software 9.7.0. This issue affects som…2026-07-12
- mediumCVE-2026-15472: A vulnerability was determined in Eleveo Call Recording Software 9.7.0. This vulnerability aff…2026-07-12
- mediumCVE-2026-15471: A vulnerability was found in Eleveo Call Recording Software 9.7.0. This affects an unknown par…2026-07-12