← back
CVE-2026-53905

Unauthorized Access to Administrator ACL View in MCO

CVSS 5.3 MEDIUMCWE-863
Vexday Risk Score
10Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
MyComplianceOffice · MCO

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →