CVE-2026-56843
Received Received - Intake

Incorrect Authorization in WebPros Plesk XML-RPC API

Vulnerability report for CVE-2026-56843, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: HackerOne

Description

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can be leveraged to execute code as another tenant's system user.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
webpros plesk to 18.0.79 (exc)
webpros plesk to 1.4.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56843 is a security vulnerability in the XML-RPC API of WebPros Plesk versions before 18.0.78.4. It allows a low-privileged authenticated customer to look up domains they do not own because ownership checks are only enforced for certain lookup filters and schema validation is bypassed for legacy protocol versions.

This flaw results in cross-tenant disclosure of other tenants' FTP credentials, which are stored in cleartext. Attackers can leverage these credentials to execute code as another tenant's system user.

The vulnerability affects XML protocol versions below 1.4.2.0 and all Plesk versions below 18.0.79, with 18.0.79 being the patched version.

Impact Analysis

This vulnerability can lead to unauthorized access to FTP credentials of other tenants, which are stored in cleartext.

An attacker with these credentials can upload malicious files and execute arbitrary code remotely (Remote Code Execution) as another tenant's system user.

The overall impact includes a high risk of confidentiality, integrity, and availability breaches, as reflected by the CVSS score of 9.9.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-56843 in Plesk's XML API, users should update to the latest Plesk Obsidian build, specifically version 18.0.79 or later, as this version contains the patch.

As a temporary mitigation, users can disable API access by editing the panel.ini file and adding the following section:

  • [api] enabled = off
Compliance Impact

This vulnerability results in cross-tenant disclosure of other tenants' FTP credentials stored in cleartext, which can lead to unauthorized access and remote code execution. Such unauthorized disclosure of sensitive credentials can violate data protection principles required by common standards and regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.

Specifically, the exposure of cleartext FTP passwords and the potential for unauthorized code execution represent significant security risks that could lead to breaches of confidentiality, integrity, and availability of data, thereby impacting compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart