CVE-2026-29205 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 14, 2026
Unknown - Broken Access Control
Published: May 13, 2026Updated: May 14, 2026Remote Exploitable
Overview
Unknown vendor product contains a broken access control caused by incorrect privileges management and insufficient path filtering in cpdavd attachment download endpoints, letting attackers read arbitrary files on the server, exploit requires no special privileges.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Attackers can read arbitrary files on the server, potentially exposing sensitive information.
Mitigation
Update to the latest version or apply patches that fix privilege management and path filtering.
Related Resources
Details
- CVE ID
- CVE-2026-29205
- Severity
- High
- CVSS Score
- 8.6
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-250
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L