Description
Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from insufficient validation of access controls, allowing an attacker to read protected data they are not authorized to see. The weakness is classified as CWE-863, indicating a flaw in access control checks.

Affected Systems

Acronis Cyber Protect 17 running on Linux and Windows is affected for builds prior to 41186. Builds 41186 and later include the fix, and no other platforms are documented as impacted.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity, while an EPSS score of less than 1% signifies a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploits. Based on the description, it is inferred that exploitation could occur through local privilege misuse or via exposed APIs that fail to enforce proper access controls.

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Acronis Cyber Protect 17 to build 41186 or later.
  • If an upgrade is not immediately possible, enforce stricter role‑based access controls and audit existing permissions to ensure only authorized users can read protected data.
  • Disable or closely monitor any exposed services or APIs that may allow unvalidated data retrieval.

Generated by OpenCVE AI on April 18, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Insufficient Access Control in Acronis Cyber Protect 17

Fri, 13 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-06T19:34:04.863Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28724

cve-icon Vulnrichment

Updated: 2026-03-06T19:29:51.473Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:13.487

Modified: 2026-03-13T16:37:52.527

Link: CVE-2026-28724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses