CVE-2026-57920
Analyzed Analyzed - Analysis Complete

Authentication Bypass via Semicolon in Peplink InControl 2

Vulnerability report for CVE-2026-57920, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-02

Assigner: MITRE

Description

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-02
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
peplink intcontrol_2 to 2.14.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-551 If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Peplink InControl 2 versions through 2.14.2 before 2026-06-03. It allows an attacker to bypass access-control rules by using a semicolon in requests to certain /rest/o/{orgId} endpoints.

Impact Analysis

The vulnerability can lead to unauthorized access to organizational resources because it bypasses access-control rules. According to the CVSS score of 7.7, it is a high-severity issue with network attack vector, low attack complexity, requiring low privileges, no user interaction, and it impacts confidentiality with a high impact.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57920. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart