Description
Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an improper authorization check that allows an attacker to access sensitive data that the user should not be able to read. The flaw does not provide code execution or denial of service, but it compromises confidentiality by exposing confidential information to unauthorized parties. The weakness is classified as CWE-863, indicating a failure in access control logic.

Affected Systems

Products affected are Acronis Cyber Protect 17 running on Linux and Windows operating systems. Versions before build 41186 are vulnerable; newer builds contain the fix.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the Medium severity range. The EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not yet listed in the CISA KEV catalogue. Attackers would need to compensate for the missing authorization guards, which likely requires some level of authentication or local access, but the exact attack vector is not detailed in the advisory and is inferred from the nature of the flaw.

Generated by OpenCVE AI on April 16, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Acronis Cyber Protect 17 build 41186 or later for both Linux and Windows platforms.
  • Re‑configure any exposed service endpoints to limit connectivity from untrusted networks while the update is applied.
  • Review and tighten access control policies for sensitive data in Acronis solutions to reduce residual exposure.

Generated by OpenCVE AI on April 16, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Sensitive Data Leak from Authorization Flaw in Acronis Cyber Protect

Thu, 12 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Sensitive information disclosure due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-09T17:19:34.034Z

Reserved: 2026-03-03T02:29:03.753Z

Link: CVE-2026-28715

cve-icon Vulnrichment

Updated: 2026-03-09T17:19:29.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:12.047

Modified: 2026-03-12T18:24:07.357

Link: CVE-2026-28715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses