Description
Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.
Published: 2026-03-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Information Disclosure
Action: Patch
AI Analysis

Impact

Serviio PRO 1.8 contains a flaw in its Configuration REST API that allows unauthenticated attackers to send crafted requests and retrieve sensitive configuration data such as credentials and network settings, resulting in a compromise of confidentiality; the vulnerability is classified as CWE‑306, indicating an authorization bypass.

Affected Systems

The impacted product is Serviio PRO version 1.8 from the vendor Serviio; no other versions are listed as affected.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is considered high severity, but its EPSS score of less than 1 % suggests low likelihood of exploitation, and it is not listed in the CISA KEV catalog, yet the lack of authentication requirements means any remote host that can reach the REST API can obtain the disclosed information.

Generated by OpenCVE AI on March 21, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Serviio PRO patch that fixes the REST API information disclosure issue.
  • Restrict network access to the REST API endpoints with firewall rules or by limiting them to trusted hosts.
  • If the REST API is not required, disable or remove it from the configuration.

Generated by OpenCVE AI on March 21, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Serviio
Serviio serviio Pro
Vendors & Products Serviio
Serviio serviio Pro

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrieve potentially sensitive configuration data without authentication.
Title Serviio PRO 1.8 REST API Information Disclosure
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Serviio Serviio Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:18.020Z

Reserved: 2026-03-15T17:44:02.111Z

Link: CVE-2017-20217

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:17.753Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:17:51.090

Modified: 2026-04-15T14:56:45.970

Link: CVE-2017-20217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:21Z

Weaknesses