CVE-2026-8100
Received Received - Intake
Chef 360 API Access Control Bypass via URL Path Handling

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Progress Software Corporation

Description
Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks.  Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-8100
EUVD
EUVD-2026-37955
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chef chef_360 From 1.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Chef 360 and involves improper handling of URL-encoded paths during request processing.

Under certain conditions, an authenticated request can bypass standard access controls and gain additional privileges.

This may allow access to protected API endpoints that are normally restricted to users with higher permission levels.

The issue depends on specific deployment configurations and the ability to trigger affected request patterns.

Impact Analysis

If exploited, this vulnerability can allow an authenticated user to gain unauthorized access to protected API endpoints.

This unauthorized access could lead to privilege escalation, exposing sensitive operations or data intended only for higher-permission roles.

The impact is limited to environments where the specific request patterns can be triggered and depends on the deployment's access controls.

Mitigation Strategies

To mitigate this vulnerability, customers are advised to update to the latest available version of Chef 360 containing the fix, which is version 1.7.1 or later.

The update improves request validation and enforces strict path normalization before authorization checks, preventing unauthorized access to protected API endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart