CVE-2026-2339 - Vulnerability Details

- RCE in TUBITAK BILGEM's Liderahenk

Description

Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.This issue affects Liderahenk: before 3.5.1.

Published: 2026-03-10

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is caused by a missing authentication check on a critical function in the Liderahenk application. This flaw allows an attacker to perform command injection and include arbitrary code, enabling remote code execution with the privileges of the service. The weakness is classified as CWE‑306, reflecting the lack of proper authentication controls.

Affected Systems

The affected product is Liderahenk, produced by the TUBITAK BILGEM Software Technologies Research Institute. All versions earlier than 3.5.1 are vulnerable; newer releases contain the fix.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw remotely over the network by sending a crafted request to the unauthenticated endpoint. While the likelihood of exploitation is low, the potential impact of arbitrary code execution warrants urgent attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TUBITAK BILGEM Software Technologies Research Institute

Liderahenk

unaffected

Version	Status	Constraints
`0`	affected	< 3.5.1

No data.

Vendor Product Confidence Versions

Tubitak Bilgem Software Technologies Research Institute

Liderahenk

100%

Version	Status	Scheme	Platform
`[0,v3.4.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Liderahenk to version 3.5.1 or later, which implements the required authentication check.
If an upgrade is not immediately possible, restrict access to the affected service by disabling the vulnerable function or enforcing authentication on the API endpoint through configuration.
Apply network segmentation and firewall rules to limit exposure of the Liderahenk instance to trusted networks only.

Generated by OpenCVE AI on April 16, 2026 at 03:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00146.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.usom.gov.tr/bildirim/tr-26-0087

History

Fri, 27 Mar 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.This issue affects Liderahenk: before v3.4.0.	Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.This issue affects Liderahenk: before 3.5.1.

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tubitak Bilgem Software Technologies Research Institute Tubitak Bilgem Software Technologies Research Institute liderahenk
Vendors & Products		Tubitak Bilgem Software Technologies Research Institute Tubitak Bilgem Software Technologies Research Institute liderahenk

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		Missing Authentication for Critical Function vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Remote Code Inclusion, Privilege Abuse, Command Injection.This issue affects Liderahenk: before v3.4.0.
Title		RCE in TUBITAK BILGEM's Liderahenk
Weaknesses		CWE-306
References		https://www.usom.gov.tr/bildirim/tr-26-0087
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Tubitak Bilgem Software Technologies Research Institute Liderahenk

MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published: 2026-03-10T12:39:12.987Z

Updated: 2026-03-27T07:28:49.302Z

Reserved: 2026-02-11T11:41:37.455Z

Link: CVE-2026-2339

Vulnrichment

Updated: 2026-03-10T13:33:33.245Z

NVD

Status : Deferred

Published: 2026-03-10T18:18:48.393

Modified: 2026-04-30T15:51:48.730

Link: CVE-2026-2339

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object