Description
Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Published: 2026-02-20
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: File Manipulation
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from incorrect permission assignment on a critical resource within Owl CyberDefense Opds, allowing an attacker to manipulate files on the device through a crafted network request. This flaw can enable modification of configuration, firmware, or other system files, potentially facilitating further compromise or denial of service. The weakness is classified as CWE‑732, indicating improper access control over write permissions.

Affected Systems

Owl CyberDefense Opds hardware models Opds‑1000 and Opds‑100, as well as the Opds Talon version 2.2.0.4, are affected. The vulnerability is documented for the 2.2.0.4 firmware, and users of earlier or earlier generation hardware should verify whether the same permission logic applies. Vendors and administrators should check the exact device model and firmware version against the CVE advisory to determine if the device is impacted.

Risk and Exploitability

The CVSS score of 8.5 classifies the issue as high severity, while the EPSS score of less than 1 percent indicates a very low probability of exploitation at present. The likely attack vector is over the network, as the description indicates that a crafted network request can trigger file manipulation. Since the vulnerability is not listed in the CISA KEV catalogue, there is no evidence of widespread exploitation, but its high severity and the potential for critical file changes warrant prompt mitigation.

Generated by OpenCVE AI on April 18, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a firmware release that corrects the permission handling flaw (consult Owl CyberDefense support for the latest patch or release).
  • Restrict external network access to the device’s management interface through firewalls or VPNs so that only trusted administrators can reach it.
  • Enable audit logging for file write operations and configure alerts for unexpected changes to critical configuration or system files.

Generated by OpenCVE AI on April 18, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
CPEs cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*
cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*
cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*
Vendors & Products Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Owl
Owl opds
Vendors & Products Owl
Owl opds

Fri, 20 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Title Incorrect Permission Assignment for Critical Resource in Owl opds
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Owl Opds
Owlcyberdefense Opds-100 Opds-1000 Opds-talon
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-02-20T23:04:03.576Z

Reserved: 2026-02-11T09:59:47.766Z

Link: CVE-2026-26095

cve-icon Vulnrichment

Updated: 2026-02-20T17:57:07.740Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:54.007

Modified: 2026-02-27T17:07:55.077

Link: CVE-2026-26095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses