CVE-2026-26418
Awaiting Analysis Awaiting Analysis - Queue
Missing Authentication in Cognix Recon Client v3.0 Web API Enables Unauthorized Access

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: MITRE

Description
Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 allows remote attackers to access application functionality without restriction via the network.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26418
EUVD
EUVD-2026-9842
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tcs cognix_platform 3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2026-26418 is due to missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client version 3.0.

Specifically, certain API endpoints such as /reconciliations/, /Scheduler/, and /DynamicReport/ did not enforce proper authentication and authorization controls.

This flaw allows remote attackers to access application functionality without any restriction or validation, meaning they can use the application features without proving their identity or having permission.

The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization).

Impact Analysis

This vulnerability can allow remote attackers to access and use application functions without any restriction, potentially leading to unauthorized actions within the application.

Because there is no authentication or authorization enforced, attackers could manipulate or retrieve sensitive data, disrupt services, or perform actions that should be limited to authorized users only.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the web API endpoints of Tata Consultancy Services Cognix Recon Client v3.0 are accessible without authentication or authorization. Specifically, the endpoints to test are:

  • http://clientreconhost/reconciliations/
  • http://clientreconhost/Scheduler/
  • http://clientreconhost/DynamicReport/

You can use commands like curl to test access to these endpoints without credentials. For example:

  • curl -v http://clientreconhost/reconciliations/
  • curl -v http://clientreconhost/Scheduler/
  • curl -v http://clientreconhost/DynamicReport/

If these endpoints respond with data or functionality without requiring authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include enforcing authentication and authorization on the affected API endpoints to prevent unauthorized access.

Since Tata Consultancy Services has already implemented corrective measures by February 4, 2026, you should ensure your Cognix Recon Client v3.0 installation is updated with the latest patches or versions that include these fixes.

Additionally, restrict network access to the vulnerable API endpoints by using firewall rules or network segmentation to limit exposure until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26418. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart