CVE-2026-7292
Received Received - Intake
Improper Authorization in o2oa NodeAgent Allows Remote Access

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-7292
EUVD
EUVD-2026-26136
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
o2oa o2oa to 10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated remote code execution on the O2OA server, potentially leading to full compromise of the application server, including theft of secrets, tampering with binaries, data destruction, and lateral movement.

Such a compromise could result in unauthorized access to sensitive personal data or protected health information, which would negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality, integrity, and availability.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the potential for data breaches and unauthorized data manipulation.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the NodeAgent service by limiting exposure of TCP port 20010 to trusted networks only, ideally binding the service to localhost or a secure management network.

Additionally, remove or heavily restrict the use of remote execution commands such as 'restart' that execute files written via the same remote channel.

Implement strict allowlists for file paths accepted by the syncFile command to prevent overwriting critical startup scripts or configuration files.

Longer term, replace the weak authentication mechanism with a robust system that uses server-side secrets or cryptographic signatures over nonces and timestamps.


Can you explain this vulnerability to me?

CVE-2026-7292 is a critical security vulnerability in the NodeAgent component of O2OA (versions up to 10.0) that allows unauthenticated remote code execution.

The vulnerability arises from a weak authentication mechanism where the NodeAgent exposes a public RSA key and accepts any credential that decrypts to a fixed prefix "o2@" without validating signatures, nonces, or timestamps.

An attacker can retrieve the public key, forge valid credentials by encrypting the fixed prefix, and then use the syncFile command to overwrite critical startup scripts on the server.

After overwriting these scripts, the attacker can trigger a restart command that executes the malicious scripts, resulting in arbitrary command execution on the server with the privileges of the O2OA service account.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected server.

  • Full compromise of the application server, including persistent backdoors.
  • Theft of sensitive secrets and data.
  • Tampering with binaries and startup files.
  • Destruction of data.
  • Lateral movement within the network.

The exploit requires no authentication and targets a default exposed TCP port, making it easier for attackers to exploit remotely.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the NodeAgent component of O2OA (up to version 10.0) is exposed on the default TCP port 20010 and if the unauthenticated HTTP endpoint for retrieving the RSA public key is accessible.

A detection approach involves attempting to access the public key endpoint and verifying if the NodeAgent service responds on port 20010. Additionally, checking for the presence of suspicious files such as overwritten startup scripts (e.g., start_windows.bat or start_linux.sh) or marker files like 'nodeagent_rce.txt' in typical locations (e.g., C:\Windows\Temp\) can indicate exploitation.

  • Use curl or wget to fetch the RSA public key from the HTTP endpoint: curl http://<target-ip>/x_organization_assemble_authentication/jaxrs/authentication/captchaRSAPublicKey
  • Use netcat or similar tools to check if TCP port 20010 is open: nc -vz <target-ip> 20010
  • Search for suspicious marker files indicating exploitation, e.g., on Windows: dir C:\Windows\Temp\nodeagent_rce.txt

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart