Description
PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.
Published: 2026-05-12
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with limited permissions to delete project groups within PowerSYSTEM Center, an action that the user should not be able to perform; this represents a breach of the correct authorization controls (CWE‑863). The impact is the removal of configuration items and associated data that may be critical to network operations, potentially causing data loss and disrupting service availability for authorized users.

Affected Systems

Affected products are Subnet Solutions PowerSYSTEM Center 2024 and PowerSYSTEM Center 2026; specific version numbers are not listed in the advisory, so any instance of these releases is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7 indicates moderate to high severity. The exploit requires a valid account with limited permissions, so the attack vector is an authenticated local or network user; no remote code execution is involved. Since EPSS is not available and the vulnerability is not listed in CISA KEV, the expected exploitation likelihood is moderate, but the potential impact on data integrity and availability remains significant.

Generated by OpenCVE AI on May 12, 2026 at 22:38 UTC.

Remediation

Vendor Solution

Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403) 270-8885 or by email at [support@subnet.com](mailto:support@subnet.com). Subnet Solutions recommends users do the following in order to reduce risk: * Monitor user activity records to ensure users are following acceptable usage policies of the application. * Restrict access to Notification Settings to trusted Administrators Monitor "Send from Address" in settings and Activity Records. * Configure a notification rule that triggers in any bulk account export activity.

OpenCVE Recommended Actions

  • Update to the latest release of PowerSYSTEM Center (PSC 2020 Update 29, PSC 2024 Update 2, or PSC 2026 GA Hotfix) to eliminate the authorization flaw.
  • Monitor user activity records to identify any violations of acceptable usage policies.
  • Restrict access to notification settings and the “Send from Address” configuration to trusted administrators only.
  • Configure a notification rule that triggers on any bulk account export activity to detect abnormal data egress.

Generated by OpenCVE AI on May 12, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.
Title Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-05-13T00:20:11.420Z

Reserved: 2026-04-16T14:05:42.152Z

Link: CVE-2026-35555

cve-icon Vulnrichment

Updated: 2026-05-13T00:20:04.327Z

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:33.630

Modified: 2026-05-12T22:16:33.630

Link: CVE-2026-35555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses