CVE-2026-57920
Received Received - Intake
Authentication Bypass via Semicolon in Peplink InControl 2

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: MITRE

Description
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57920
EUVD
EUVD-2026-39651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
peplink incontrol From 2.0 (inc) to 2.14.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-551 If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Peplink InControl 2 versions through 2.14.2 before 2026-06-03. It allows an attacker to bypass access-control rules by using a semicolon in requests to certain /rest/o/{orgId} endpoints.

Impact Analysis

The vulnerability can lead to unauthorized access to organizational resources because it bypasses access-control rules. According to the CVSS score of 7.7, it is a high-severity issue with network attack vector, low attack complexity, requiring low privileges, no user interaction, and it impacts confidentiality with a high impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57920. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart