Description
An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

An unauthenticated remote attacker can read a configuration file that contains database credentials, resulting in a partial loss of confidentiality. The attack does not grant use of the credentials, but exposure of those secrets can still lead to data privacy concerns. The weakness is identified as CWE-497 (Insecure Interface Design).

Affected Systems

The vulnerability impacts MB connect line products: mbCONNECT24 and mymbCONNECT24. No specific version range is documented, so the issue should be considered to affect all current and older releases of these products until a patch is issued.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. The attack vector is inferred to be remote and unauthenticated, leveraging the data24 Endpoint exposed by the affected application. The lack of a known exploit path and the moderate CVSS score imply that while the risk is present, immediate widespread exploitation is unlikely, but remediation is still recommended.

Generated by OpenCVE AI on April 2, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify if the vendor has released a patch or update and apply it immediately
  • Restrict access to the configuration files and the data24 Endpoint to authorized users only
  • Check the vendor’s website or support channels for any advisory or guidance
  • Consider disabling or limiting directory listing and other features that expose configuration information

Generated by OpenCVE AI on April 2, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24
Vendors & Products Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24

Thu, 02 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.
Title MB connect line mbCONNECT24 vulnerable to an unauthenticated information disclosure in the data24 Endpoint
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mbconnectline Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-04-02T09:00:17.434Z

Reserved: 2026-03-23T13:15:49.382Z

Link: CVE-2026-33617

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T10:16:17.260

Modified: 2026-04-02T10:16:17.260

Link: CVE-2026-33617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:36Z

Weaknesses