Description
Unauthorized report deletion due to insufficient access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss (Report Deletion)
Action: Patch ASAP
AI Analysis

Impact

The vulnerability allows an attacker to delete reports that they should not be able to remove because access control checks are missing. As a result, deleted reports are permanently lost, compromising the accuracy and completeness of the system’s reporting data.

Affected Systems

Acronis Cyber Protect 17 running on Linux and Windows, any build prior to build 41186, is affected by this flaw.

Risk and Exploitability

The CVSS v3 base score of 4.3 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation. The vulnerability is not listed in CISA KEV. The description indicates the flaw requires an authenticated user with sufficient privileges to invoke the deletion function; remote exploitation is not specified, so the attack is inferred to be local or authenticated.

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Acronis Cyber Protect to build 41186 or newer, which fixes the insufficient access control issue.
  • Restrict report deletion permissions to a limited set of trusted administrators to enforce least privilege.
  • Enable and regularly review audit logs to detect any unexpected report deletion activity.

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Unauthorized report deletion due to insufficient access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-09T16:36:46.071Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28723

cve-icon Vulnrichment

Updated: 2026-03-09T16:36:42.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:13.340

Modified: 2026-03-13T16:38:26.863

Link: CVE-2026-28723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses