CVE-2026-53902
Received Received - Intake

MCO Privilege Escalation via Group Membership Manipulation

Vulnerability report for CVE-2026-53902, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CERT.PL

Description

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g.Β /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1Β but may also affect other versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because the MCO application does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint.

As a result, an authenticated user can modify their group membership without the necessary authorization, allowing them to escalate their privileges.

An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained through other application functionalities or potentially guessed via brute-force methods.

Impact Analysis

This vulnerability can lead to privilege escalation, where an attacker gains unauthorized access to groups they should not belong to.

By adding themselves to arbitrary groups, attackers may gain elevated permissions or access to sensitive information or functionalities within the application.

Compliance Impact

The vulnerability in MyComplianceOffice (MCO) allows an authenticated user to escalate privileges by modifying their group membership without proper authorization checks. This could potentially lead to unauthorized access to sensitive compliance data or functions within the platform.

Since MCO is a compliance management software used to help organizations meet regulatory obligations, such unauthorized privilege escalation could undermine the integrity of compliance controls, potentially impacting adherence to standards like GDPR or HIPAA that require strict access controls and data protection.

However, the provided information does not explicitly detail the direct impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves improper authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint, allowing an authenticated user to modify their group membership.

Detection could involve monitoring or testing this specific API endpoint by attempting to modify group memberships with an authenticated user account and verifying if unauthorized changes are possible.

Since no specific detection commands or tools are provided in the context or resources, a general approach would be to use HTTP request tools (e.g., curl) to send authenticated POST or PUT requests to the endpoint and observe if group membership changes are accepted without proper authorization.

  • Example command to test the endpoint (replace placeholders accordingly):
  • curl -X POST -H "Authorization: Bearer <token>" -d '{"groupId": "<target_group_id>"}' https://<mco-server>/customer/servlet/mco/webapi/profile-sections/group-membership

Monitoring logs for unexpected changes in group memberships or unusual API calls to this endpoint may also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps should focus on restricting access to the vulnerable endpoint and enforcing proper authorization checks.

Since the vulnerability allows privilege escalation by modifying group memberships without proper authorization, administrators should:

  • Limit access to the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint to only trusted and necessary users.
  • Implement additional monitoring and alerting for changes in group memberships.
  • Review and tighten permissions for authenticated users to prevent unauthorized group modifications.

Because vendor contact attempts were unsuccessful and no patch information is provided, consider isolating or restricting the affected version (25.3.3.1) until a fix or update is available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart