CVE-2026-23782
Received Received - Intake
Unauthorized API Secret Disclosure in BMC Control-M/MFT 9.0.x

Publication date: 2026-04-10

Last updated on: 2026-04-27

Assigner: MITRE

Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23782
EUVD
EUVD-2026-21371
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bmc control-m/managed_file_transfer From 9.0.20 (inc) to 9.0.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in BMC Control-M/MFT versions 9.0.20 through 9.0.22. It involves an API management endpoint that allows unauthenticated users to obtain both an API identifier and its corresponding secret value.

With these exposed secrets, an attacker could invoke privileged API operations without authorization.

Impact Analysis

The impact of this vulnerability is that an attacker who obtains the API identifier and secret can perform privileged API operations.

This could lead to unauthorized access to sensitive functions or data within the affected BMC Control-M/MFT system.

Mitigation Strategies

To mitigate the vulnerability in BMC Control-M/MFT versions 9.0.20 through 9.0.22, it is recommended to apply the latest patches provided by BMC Software.

Specifically, installing Control-M/Server patch PACTV.9.0.21.308 or later addresses multiple issues including API vulnerabilities that could allow unauthorized access.

Ensure that prerequisites such as Control-M/Server 9.0.21.300 and earlier patches (PACTV.9.0.21.302, PACTV.9.0.21.305, PACTV.9.0.21.306, and for certain database platforms PACTV.9.0.21.307) are installed before applying this patch.

In High Availability environments, apply patches to both active and non-active hosts, and follow the recommended procedures to stop and verify the Control-M/Server Configuration Agent to avoid automatic failover during patching.

The patch installation involves shutting down Control-M/Server components, applying the patch, and restarting the components, which can be done interactively or silently.

Compliance Impact

The provided context does not include any information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves an API management endpoint in BMC Control-M/MFT versions 9.0.20 through 9.0.22 that allows unauthenticated users to obtain API identifiers and secret values. Detection would involve monitoring for unauthorized access attempts to the API management endpoint or unusual API calls that could indicate exploitation.

Since the provided resources do not include specific detection commands or network signatures, a general approach would be to monitor network traffic for suspicious API requests to the management endpoint and review logs for unauthorized access patterns.

Additionally, applying the patch described in Resource 1 (Control-M/Server patch PACTV.9.0.21.308) is recommended to remediate vulnerabilities including API-related issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart