Home / Vulnerability Intelligence / CVE-2026-26289

CVE-2026-26289 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: May 13, 2026

PowerSYSTEM Center - Broken Access Control

Published: May 12, 2026Updated: May 13, 2026

Overview

PowerSYSTEM Center REST API contains an information disclosure vulnerability caused by device account export endpoint allowing authenticated users with limited permissions to access sensitive information normally restricted to administrators.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Authenticated users with limited permissions can access sensitive administrative information, risking data exposure.

Mitigation

Update to the latest version with access control fixes.

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json
https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26289
Severity: High
CVSS Score: 8.2
Type: broken_access_control
Status: unconfirmed

CWE

CWE-863

CVSS Metrics

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L