Access-Control

CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.

HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit permissive access, potentially leading to unauthorized file disclosure and read access.

Luanti 5 before 5.15.2 allows unintended access to an insecure environment if a crafted mod intercepts requests when secure mods are enabled, potentially leading to unauthorized access and control.

An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.

CVE-2026-22564 is an improper access control vulnerability in UniFi Play PowerAmp and Audio Port devices that allows an attacker with network access to enable SSH and make unauthorized system changes.

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions by invoking /reset or /new messages with an explicit sessionKey, bypassing operator.admin requirements.

OpenClaw before 2026.3.25 contains an improper access control vulnerability (CVE-2026-34512) in the HTTP /sessions/:sessionKey/kill route, allowing any authenticated user to terminate arbitrary subagent sessions.

CVE-2026-5569 describes a remote improper access control vulnerability in the /Technostrobe/ endpoint of Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30, potentially leading to unauthorized access and control of affected devices.

CVE-2026-5526 describes an improper access control vulnerability in the Tenda 4G03 Pro router's /bin/httpd file, allowing remote attackers to potentially gain unauthorized access.

A missing functional level access control vulnerability in HCL Aftermarket DPC (CVE-2025-55261) allows an attacker to escalate privileges, potentially compromising the application and leading to data theft or manipulation.

Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control vulnerability (CVE-2026-23514) due to improper ownership management, allowing authenticated users to access unauthorized content, which can be mitigated by upgrading to version 9.2.2 or later.

Vulnerabilities in Paxton Net2 Access Control Units (ACUs) could allow unauthorized remote access and control of secured doors, potentially affecting prisons and other high-security facilities.

Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.

OpenRemote is vulnerable to privilege escalation, allowing an attacker with write:admin privileges in one Keycloak realm to gain administrator access to the master realm by manipulating Keycloak realm roles due to missing authorization checks in the updateUserRealmRoles function.

Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.