CVE-2026-26418
Missing Authentication in Cognix Recon Client v3.0 Web API Enables Unauthorized Access
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tcs | cognix_platform | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-26418 is due to missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client version 3.0.
Specifically, certain API endpoints such as /reconciliations/, /Scheduler/, and /DynamicReport/ did not enforce proper authentication and authorization controls.
This flaw allows remote attackers to access application functionality without any restriction or validation, meaning they can use the application features without proving their identity or having permission.
The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization).
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to access and use application functions without any restriction, potentially leading to unauthorized actions within the application.
Because there is no authentication or authorization enforced, attackers could manipulate or retrieve sensitive data, disrupt services, or perform actions that should be limited to authorized users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the web API endpoints of Tata Consultancy Services Cognix Recon Client v3.0 are accessible without authentication or authorization. Specifically, the endpoints to test are:
- http://clientreconhost/reconciliations/
- http://clientreconhost/Scheduler/
- http://clientreconhost/DynamicReport/
You can use commands like curl to test access to these endpoints without credentials. For example:
- curl -v http://clientreconhost/reconciliations/
- curl -v http://clientreconhost/Scheduler/
- curl -v http://clientreconhost/DynamicReport/
If these endpoints respond with data or functionality without requiring authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing authentication and authorization on the affected API endpoints to prevent unauthorized access.
Since Tata Consultancy Services has already implemented corrective measures by February 4, 2026, you should ensure your Cognix Recon Client v3.0 installation is updated with the latest patches or versions that include these fixes.
Additionally, restrict network access to the vulnerable API endpoints by using firewall rules or network segmentation to limit exposure until the patch is applied.