Description
Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a case of incorrect access control in Northern.tech CFEngine Enterprise, allowing an attacker to gain unauthorized access to privileged operations or sensitive data. It falls under the category of improper access control weaknesses. The attack can lead to data compromise, system modification, or disruption of services depending on permissions granted by the compromised account.

Affected Systems

The affected products are Northern.tech CFEngine Enterprise releases prior to version 3.21.8, 3.24.3 and 3.27.0. Systems running these older CFEngine versions are susceptible to the flaw.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is < 1%, indicating a low but nonzero exploitation probability. It is not listed in the CISA KEV catalog. Based on the nature of the flaw, the likely attack vector could be remote or local, depending on network exposure and authentication mechanisms. The weakness permits unauthorized access to functionalities that should be restricted, allowing an attacker to potentially read, modify, or delete configuration data or execute privileged commands.

Generated by OpenCVE AI on May 15, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any security update or patch released by Northern.tech for CFEngine Enterprise, specifically versions 3.21.8, 3.24.3, or 3.27.0 or later.
  • If a patch is not yet available, disable or limit network exposure for the CFEngine service and enforce strict firewall rules and access controls.
  • Verify configuration files and deployment settings to ensure that access control policies align with least‑privilege principles.

Generated by OpenCVE AI on May 15, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:northern.tech:cfengine:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:northern.tech:cfengine:3.26.0:*:*:*:enterprise:*:*:*

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Northern.tech
Northern.tech cfengine
Vendors & Products Northern.tech
Northern.tech cfengine

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Incorrect Access Control in CFEngine Enterprise

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Incorrect Access Control in CFEngine Enterprise
Weaknesses CWE-284

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
References

Subscriptions

Northern.tech Cfengine
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T13:28:04.661Z

Reserved: 2026-01-24T00:00:00.000Z

Link: CVE-2026-24711

cve-icon Vulnrichment

Updated: 2026-05-15T13:27:58.947Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T15:16:44.860

Modified: 2026-05-19T16:44:42.290

Link: CVE-2026-24711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:41:56Z

Weaknesses