Description
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Disclosure
Action: Patch
AI Analysis

Impact

This vulnerability arises from an improper authentication mechanism that allows an attacker to bypass the intended login checks and gain unauthorized read or modification rights to protected data stored by Acronis Cyber Protect. The flaw is identified as CWE-1390, which highlights the failure to properly handle authentication and authorization conditions. The impact is a potential exposure of any data the application manages, leading to confidentiality compromise.

Affected Systems

Acronis Cyber Protect 17 on Linux and Windows prior to build 41186.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is remote network exposure, with crafted requests that do not carry valid credentials. The CVSS score of 9.8 denotes a high severity exposure. The EPSS score of less than 1% suggests that exploitation is not common at the time of this assessment, yet the vulnerability can be triggered remotely when the service is reachable. The issue is not listed in CISA’s KEV catalog, but because it removes authentication safeguards, any actor able to reach the Acronis service can immediately obtain access to sensitive information.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Acronis Cyber Protect update that includes the fix for build 41186 or later.
  • If an update is not available, restrict the Acronis service by blocking its ports or limiting access through firewall rules.
  • Monitor authentication and data access logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Causing Sensitive Data Exposure in Acronis Cyber Protect 17

Thu, 12 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-1390
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-07T04:55:20.943Z

Reserved: 2026-03-03T02:29:03.752Z

Link: CVE-2026-28710

cve-icon Vulnrichment

Updated: 2026-03-06T19:31:23.392Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:11.300

Modified: 2026-03-12T18:25:51.837

Link: CVE-2026-28710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses