CVE-2026-53905
Received Received - Intake

MCO Authorization Bypass Exposes ACL Tree Structure

Vulnerability report for CVE-2026-53905, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CERT.PL

Description

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1Β but may also affect other versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mycomplianceoffice mco to 25.3.3.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in MyComplianceOffice (MCO) allows an authenticated, low-privileged user to retrieve administrator access control structures without proper authorization checks. This exposure of sensitive permission mappings and internal configuration details could potentially undermine the integrity and confidentiality of compliance management processes.

Since MCO is a compliance management platform designed to help organizations meet regulatory obligations, such unauthorized access could impact the effectiveness of compliance controls required by standards like GDPR and HIPAA. Specifically, unauthorized disclosure of access control structures may increase the risk of data breaches or misuse of sensitive information, which are critical concerns under these regulations.

However, the provided information does not explicitly state the direct impact on compliance certifications or legal obligations under GDPR, HIPAA, or other standards.

Impact Analysis

The vulnerability allows a low-privileged authenticated user to retrieve administrator-level access control information.

This exposure can lead to unauthorized disclosure of sensitive permission mappings and internal configuration details, potentially aiding attackers in escalating privileges or planning further attacks.

Executive Summary

This vulnerability occurs because MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint.

As a result, an authenticated user with low privileges can access administrator access control structures without the necessary permissions.

This improper enforcement may expose sensitive permission mappings and internal configuration details.

Detection Guidance

This vulnerability involves improper authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint, allowing a low-privileged authenticated user to retrieve administrator access control structures.

To detect this vulnerability on your system, you can attempt to access the vulnerable endpoint with a low-privileged user account and observe if the response includes administrator access control structures without proper authorization.

A possible command using curl to test this could be:

  • curl -i -X GET -b 'session_cookie=your_session_cookie' https://[MCO_SERVER]/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure

Replace [MCO_SERVER] with your server address and provide a session cookie for a low-privileged authenticated user. If the response contains administrator ACL data, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to only authorized administrator users and monitoring access logs for suspicious activity involving the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint.

Since the vulnerability is confirmed in version 25.3.3.1 and vendor contact attempts were unsuccessful, consider applying any available patches or updates if released, or implementing network-level controls such as firewall rules to limit access to the affected endpoint.

Additionally, review user privileges and ensure that low-privileged users do not have unnecessary access to sensitive API endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53905. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart