Description
In Secure Access 12.70 and prior to 14.20, the logging
subsystem may write an unredacted authentication token to logs under
certain configurations. Any party with access to those logs could read
the token and reuse it to access an integrated system.
Published: 2026-01-17
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure with Potential Unauthorized Access
Action: Update
AI Analysis

Impact

The Secure Access application can log an authentication token in clear text under certain log configuration settings. If an attacker obtains access to those logs, the token can be replayed to gain unauthorized access to an integrated system. This exposes confidential credential information and enables potential impersonation of a legitimate user.

Affected Systems

The vulnerability affects Absolute Security Secure Access versions 12.70 through 14.19, inclusive. Systems running these releases have a logging component that may write unredacted authentication tokens to application logs.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an attacker who gains local or remote read access to the application log files. Success requires only that log files be accessible; no additional conditions or public exploitation code are described.

Generated by OpenCVE AI on April 18, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Secure Access to version 14.20 or later to eliminate the logging of authentication tokens.
  • Reconfigure the logging subsystem to redact or omit authentication tokens if the patch is unavailable, following any vendor guidance for log filtering.
  • Restrict write and read access to the application log files to a minimal set of privileged administrators and monitor logs for suspicious access.

Generated by OpenCVE AI on April 18, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:absolute:secure_access:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-532
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Absolute
Absolute secure Access
Vendors & Products Absolute
Absolute secure Access

Sat, 17 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.
Title Information Disclosure in Secure Access Between 12.70 and 14.20
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Absolute Secure Access
cve-icon MITRE

Status: PUBLISHED

Assigner: Absolute

Published:

Updated: 2026-01-20T18:39:13.845Z

Reserved: 2025-12-12T17:25:37.542Z

Link: CVE-2026-0519

cve-icon Vulnrichment

Updated: 2026-01-20T18:38:31.687Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-17T02:15:49.627

Modified: 2026-02-02T16:04:56.253

Link: CVE-2026-0519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses