Description
An unauthorized user can modify configuration through API
calls that affects the OpenText Access
Manager. This issue affects Access Manager before 5.1.3.
Published: 2026-06-24
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthorized user can modify configuration through API calls in OpenText Access Manager. The missing authorization check allows an attacker who can reach the API to change system settings, potentially altering permissions, flow rules, or other critical configuration, thereby compromising the security posture. This flaw is classified as missing authorization for privileged API access (CWE‑648). The likely attack vector is through the publicly exposed API endpoint, as the description indicates API calls but does not specify authentication requirements.

Affected Systems

The vulnerability affects OpenText Access Manager releases before version 5.1.3. Any deployment of Access Manager 5.1.2 or earlier is vulnerable when the API is accessible without adequate authorization checks.

Risk and Exploitability

The CVSS base score of 6.3 indicates moderate severity, and no EPSS data is currently available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker with network access to the API endpoint can exploit the missing authorization to alter configuration settings. Because the flaw allows privileged changes without authentication, it is considered a significant risk to the integrity and availability of the configuration state.

Generated by OpenCVE AI on June 24, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released security patch or upgrade to OpenText Access Manager 5.1.3 or later.
  • Verify that API authentication and authorization controls are properly configured to enforce privileged access controls.
  • Limit network exposure of the API endpoint and/or enable firewall rules to restrict access to trusted IP addresses.

Generated by OpenCVE AI on June 24, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentext
Opentext access Manager
Vendors & Products Opentext
Opentext access Manager

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager. This issue affects Access Manager before 5.1.3.
Title Missing Authorization Vulnerability in OpenText Access Manager
Weaknesses CWE-648
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Opentext Access Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-06-24T15:02:15.542Z

Reserved: 2026-06-10T13:19:47.916Z

Link: CVE-2026-11877

cve-icon Vulnrichment

Updated: 2026-06-24T15:01:55.329Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:45Z

Weaknesses
  • CWE-648

    Incorrect Use of Privileged APIs