Description
PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
Published: 2026-05-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the PowerSYSTEM Center REST API endpoint that exports device account information. An authenticated user with limited permissions is able to invoke this endpoint and retrieve sensitive data that should normally be restricted to administrators. This incorrect authorization allows an attacker to read privileged account details, potentially exposing credentials, configuration data, or other sensitive information. The weakness is categorized as CWE‑863: Improper Authorization.

Affected Systems

Subnet Solutions PowerSYSTEM Center 2020, 2024, and 2026. The issue affects the product releases identified as PSC 2020, PSC 2024, and PSC 2026. Exact patch level details are listed in the vendor solution document: PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix.

Risk and Exploitability

The CVSS score of 8.4 classifies the flaw as high severity, indicating significant impact if exploited. EPSS data is not available, but the vulnerability requires only an authenticated user with non‑administrative rights, which many organizations grant. It is not currently listed in CISA’s KEV database. The most likely attack vector involves an internal user or compromised account exploiting the export endpoint to gather sensitive information. While no public exploits are known, the flaw can be leveraged to compromise confidentiality by exposing account credentials and related data.

Generated by OpenCVE AI on May 12, 2026 at 22:35 UTC.

Remediation

Vendor Solution

Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com). Subnet Solutions recommends users do the following in order to reduce risk: * Monitor user activity records to ensure users are following acceptable usage policies of the application. * Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. * Configure a notification rule that triggers in any bulk account export activity.

OpenCVE Recommended Actions

  • Update to the latest PowerSYSTEM Center release: PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix as appropriate for your environment.
  • Restrict the Device Account Export API so that only users with administrator privileges can access it.
  • Implement the vendor‑recommended monitoring: review user activity logs, restrict Notification Settings access to trusted administrators, and configure alerts for bulk export activities.

Generated by OpenCVE AI on May 12, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
Title Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-13T00:19:14.634Z

Reserved: 2026-04-16T14:05:42.127Z

Link: CVE-2026-26289

cve-icon Vulnrichment

Updated: 2026-05-13T00:19:11.201Z

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:32.823

Modified: 2026-05-12T22:16:32.823

Link: CVE-2026-26289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses