Description
Sensitive information disclosure due to improper access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Published: 2026-03-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

CVE-2026-28726 reveals an improper access control flaw that permits sensitive data disclosure in Acronis Cyber Protect 17. The weakness allows unauthenticated or misprivileged users to read confidential information that should otherwise be protected, thereby compromising confidentiality and reflecting the vulnerability type CWE‑863.

Affected Systems

This vulnerability affects Acronis Cyber Protect 17 running on Linux or Windows platforms, specifically builds prior to 41186. Any system with an older build is potentially exploitable.

Risk and Exploitability

The CVSS score of 4.3 denotes a medium severity for confidentiality impact, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The advisory notes that the vulnerability is not listed in the CISA KEV catalog. Because the description does not specify an attack vector, the threat could be local or remote depending on how the affected system exposes the vulnerable functionality.

Generated by OpenCVE AI on April 16, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Acronis Cyber Protect 17 to build 41186 or later.
  • Perform a comprehensive audit of sensitive data access permissions to ensure proper access control is enforced.
  • Limit user and network access to the application only to trusted accounts and network segments until the patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Improper Access Control in Acronis Cyber Protect 17 Exposes Sensitive Information

Fri, 13 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:acronis:cyber_protect:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Acronis cyber Protect
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Acronis
Acronis acronis Cyber Protect 17
Vendors & Products Acronis
Acronis acronis Cyber Protect 17

Fri, 06 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description Sensitive information disclosure due to improper access control. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
Weaknesses CWE-863
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Acronis Acronis Cyber Protect 17 Cyber Protect
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Acronis

Published:

Updated: 2026-03-06T19:33:44.772Z

Reserved: 2026-03-03T02:29:03.754Z

Link: CVE-2026-28726

cve-icon Vulnrichment

Updated: 2026-03-06T19:29:44.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T00:16:13.783

Modified: 2026-03-13T16:38:04.100

Link: CVE-2026-28726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses