Description
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API Credential Exposure
Action: Immediate Patch
AI Analysis

Impact

An API management endpoint in BMC Control‑M/MFT allows unauthenticated users to retrieve an API identifier and its corresponding secret. These exposed secrets give an attacker the ability to call privileged API operations, effectively granting unauthorized access to the system and the data it manages. The flaw is a typical example of a weakness that permits elevation of privilege through credential compromise.

Affected Systems

BMC Control‑M/MFT versions 9.0.20 through 9.0.22 are affected. The vulnerability applies to both the Control‑M and MFT components within these release ranges.

Risk and Exploitability

The CVSS score of 7.5 indicates a high level of risk, while the EPSS score of less than 1% suggests that widespread exploitation may be limited, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the combination of unauthenticated access and the ability to leverage secret credentials presents a clear threat vector over the network, making the issuance of a patch a priority for affected installations.

Generated by OpenCVE AI on April 14, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the BMC Control‑M/MFT patch referenced in the vendor documentation to remove the unauthenticated API endpoint

Generated by OpenCVE AI on April 14, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Bmc control-m\/managed File Transfer
CPEs cpe:2.3:a:bmc:control-m\/managed_file_transfer:*:*:*:*:*:*:*:*
Vendors & Products Bmc control-m\/managed File Transfer

Wed, 15 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Unauthorized API Credential Exposure Enables Privileged Operations in BMC Control‑M/MFT

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated API Endpoint Exposes Secrets in BMC Control‑M/MFT 9.x
Weaknesses CWE-256

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated API Endpoint Exposes Secrets in BMC Control‑M/MFT 9.x
Weaknesses CWE-256
CWE-284

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bmc
Bmc control-m
Vendors & Products Bmc
Bmc control-m

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.
References

Subscriptions

Bmc Control-m Control-m\/managed File Transfer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:00:37.511Z

Reserved: 2026-01-16T00:00:00.000Z

Link: CVE-2026-23782

cve-icon Vulnrichment

Updated: 2026-04-14T13:59:04.050Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T15:16:23.210

Modified: 2026-04-27T19:11:46.547

Link: CVE-2026-23782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses