Description
Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Published: 2026-02-20
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: File Manipulation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from incorrect permission assignment on a critical resource within Owl opds 2.2.0.4, allowing an attacker to craft a network request that causes the victim system to write to or modify that resource. This enables arbitrary file manipulation such as tampering with configuration files, logs, or sensitive data and could ultimately allow an attacker to alter system behavior or inject malicious code.

Affected Systems

The flaw affects Owl CyberDefense’s Open Platform for Digital Security (opds) product line, notably firmware and hardware associated with the opds‑1000 and opds‑100 models, as well as the opds‑talon version 2.2.0.4. Any installation running these components with the default configuration is potentially vulnerable.

Risk and Exploitability

The CVSS v3 score of 8.5 indicates high severity. EPSS indicates a very low but non‑zero probability of exploitation. It is not on the CISA KEV list. The attack vector is inferred to be remote, as a crafted network request can trigger the vulnerability from outside the device.

Generated by OpenCVE AI on April 17, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released firmware update that addresses the permission assignment issue, if available.
  • If an update is not yet released, reconfigure the affected file’s permissions to enforce the principle of least privilege, ensuring that only privileged processes can write to it.
  • Restrict network access to the opds critical resources by placing the device behind a firewall or applying ACLs that limit the source IPs and ports that can reach the endpoints.
  • Monitor system logs for unauthorized write attempts to the critical resource and alert administrators upon detection.

Generated by OpenCVE AI on April 17, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
CPEs cpe:2.3:h:owlcyberdefense:opds-1000:-:*:*:*:*:*:*:*
cpe:2.3:h:owlcyberdefense:opds-100:-:*:*:*:*:*:*:*
cpe:2.3:o:owlcyberdefense:opds-talon:2.2.0.4:*:*:*:*:*:*:*
Vendors & Products Owlcyberdefense
Owlcyberdefense opds-100
Owlcyberdefense opds-1000
Owlcyberdefense opds-talon
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Owl
Owl opds
Vendors & Products Owl
Owl opds

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.
Title Incorrect Permission Assignment for Critical Resource in Owl opds
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Owl Opds
Owlcyberdefense Opds-100 Opds-1000 Opds-talon
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-02-20T23:03:04.976Z

Reserved: 2026-02-11T09:59:47.767Z

Link: CVE-2026-26101

cve-icon Vulnrichment

Updated: 2026-02-20T17:43:36.733Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:54.967

Modified: 2026-02-27T17:00:38.157

Link: CVE-2026-26101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses