Description
Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 allows remote attackers to access application functionality without restriction via the network.
Published: 2026-03-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to application functionality via the web API
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authentication and authorization check in the web API of TCS Cognix Recon Client v3.0. It allows an attacker who can reach the API over the network to invoke endpoint functionality without any form of credential verification. The result is that the attacker can exploit the application's logic without restriction, effectively bypassing all intended access control, which constitutes a significant confidentiality and integrity risk for the data handled by the solution.

Affected Systems

This flaw affects the TCS Cognix Platform v3.0. No other versions or vendors are listed as impacted. If your deployment uses Cognix Platform 3.0, the web API endpoints are vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity. The EPSS score is less than 1%, indicating a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote over the network, targeting the exposed web API. An attacker only needs network connectivity to the API services; authentication bypass will grant them unrestricted use of the functionality provided by those endpoints.

Generated by OpenCVE AI on April 16, 2026 at 13:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cognix Platform to the latest version that includes proper authentication mechanisms for the web API, if such a release is available from TCS.
  • If a patch is not yet available, limit network exposure by configuring firewall or reverse‑proxy rules to allow only trusted IP addresses to reach the web API endpoints, thereby reducing the attack surface.
  • Implement access controls on the API layer, such as API keys or OAuth tokens, as an additional safeguard until a formal fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 13:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access in Cognix Recon Client Web API Allows Remote Functionality Exfiltration

Tue, 10 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Tcs cognix Platform
CPEs cpe:2.3:a:tcs:cognix_platform:3.0:*:*:*:*:*:*:*
Vendors & Products Tcs cognix Platform

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Tcs
Tcs cognix Recon Client
Vendors & Products Tcs
Tcs cognix Recon Client

Fri, 06 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Missing authentication and authorization in the web API of Tata Consultancy Services Cognix Recon Client v3.0 allows remote attackers to access application functionality without restriction via the network.
References

Subscriptions

Tcs Cognix Platform Cognix Recon Client
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-06T09:57:54.697Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26418

cve-icon Vulnrichment

Updated: 2026-03-06T09:57:21.214Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:04.800

Modified: 2026-03-10T18:33:53.873

Link: CVE-2026-26418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses