Description
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data.
Published: 2026-05-22
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dell ECS versions 3.5 and 3.6 have an Improper Access Control flaw in the Identity and Access Management module. This weakness allows a remote attacker who has not authenticated to obtain read access to data that the victim should not see. The impact is the exposure of confidential information and potential data leakage, with a CVSS score of 5.9 indicating moderate severity.

Affected Systems

Dell Elastic Cloud Storage (ECS) configuration versions 3.5 and 3.6 are affected. Any deployment of these versions that has the IAM module enabled and accessible from an external network may be vulnerable.

Risk and Exploitability

The vulnerability can be exploited over the network by sending specially crafted IAM requests; authentication is not required, so the attack surface is broad. Based on the description, it is inferred that the attacker does not need to authenticate to gain this access. The EPSS score is not reported, but the CVSS score of 5.9 reflects a notable risk for data confidentiality. The CVE is not listed in the CISA KEV catalog, indicating that there have been no confirmed exploits in the wild yet, yet the potential for misuse remains high for organizations still running the affected versions.

Generated by OpenCVE AI on May 22, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Dell ECS update that fixes the IAM access control issue for versions 3.5 and 3.6.
  • Reconfigure IAM policies to follow the principle of least privilege, removing any unnecessary read permissions.
  • Enable and review activity logs for unauthorized IAM requests, and deploy alerting for suspicious access attempts.

Generated by OpenCVE AI on May 22, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-54113
History

Sat, 23 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control Allows Unauthorized Read in Dell ECS IAM

Fri, 22 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Dell
Dell ecs
Vendors & Products Dell
Dell ecs

Fri, 22 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dell Ecs
cve-icon MITRE

Status: PUBLISHED

Assigner: dell

Published:

Updated: 2026-05-23T02:32:17.628Z

Reserved: 2022-05-19T15:10:24.879Z

Link: CVE-2022-31231

cve-icon Vulnrichment

Updated: 2026-05-23T02:32:13.372Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:00:15Z

Weaknesses