CVE-2026-26053
Received Received - Intake

Incorrect Privilege Assignment in Gallagher Command Centre

Vulnerability report for CVE-2026-26053, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Gallagher Group Ltd.

Description

An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
gallagher command_centre_server to vEL9.50.1587 (exc)
gallagher command_centre_server to vEL9.40.3130 (exc)
gallagher command_centre_server to vEL9.30.3983 (exc)
gallagher command_centre_server to vEL9.20.4349 (exc)
gallagher command_centre_server 9.10

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-26053 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Gallagher's Command Centre Server software. It allows an authenticated operator with limited privileges to perform some operations that they are not normally authorized to perform.

This affects specific versions of the Command Centre Server prior to certain patch levels, including all versions of 9.10 and earlier versions of 9.20, 9.30, 9.40, and 9.50 before their respective fixed releases.

Impact Analysis

The vulnerability allows an authenticated operator with limited privileges to perform unauthorized operations, which can lead to a high impact on the integrity of the system.

The CVSS score indicates that while there is no impact on confidentiality or availability, the integrity of the system can be compromised. This means unauthorized changes or actions could be performed by users who should not have such permissions.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Gallagher Command Centre Server software is updated to a fixed version. Specifically, upgrade to versions at or beyond vEL9.50.1587(MR1) for 9.50, vEL9.40.3130(MR3) for 9.40, vEL9.30.3983(MR5) for 9.30, or vEL9.20.4349(MR7) for 9.20. All versions of 9.10 are affected and should be upgraded.

Since the vulnerability allows an authenticated operator with limited privileges to perform unauthorized operations, restricting access to trusted operators and monitoring privilege assignments can also help reduce risk until the update is applied.

Compliance Impact

The vulnerability allows an authenticated operator with limited privileges to perform unauthorized operations, which results in a high impact on integrity but no impact on confidentiality or availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact could potentially affect compliance by allowing unauthorized changes to data or system operations.

However, since there is no impact on confidentiality or availability, the risk to personal data protection or system uptime required by these regulations may be limited.

No direct information is provided about specific compliance implications in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26053. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart