Description
A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Claris FileMaker Cloud allows an administrator to bypass a front‑end restriction that controls which operating‑system script schedules can be created. By exploiting this bypass, attackers with Admin Console privileges can run arbitrary OS commands on the underlying host, resulting in full control over the server and all data it stores and services.

Affected Systems

The vulnerability affects Claris FileMaker Cloud; the specific fix is provided in version 2.22.0.5. No other vendors or product versions are listed as affected.

Risk and Exploitability

Because the flaw permits arbitrary command execution, it is a high‑impact Remote Code Execution vulnerability with a CVSS score of 7.2. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. Nevertheless, the lack of mitigation makes this a critical risk for any deployment that retains unused privileged admin console access. An attacker with such access could compromise the host, exfiltrate data, and pivot to other systems.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Claris FileMaker Cloud to version 2.22.0.5 or later, which removes the back‑door scheduled script capability.
  • Restrict access to the Admin Console so that only trusted administrators can modify script schedules, and enforce least‑privilege principles on all accounts.
  • Configure and review operating‑system audit logs to detect unauthorized script execution and unusual command activity.

Generated by OpenCVE AI on May 13, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 03:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via OS Script Schedule Bypass in Claris FileMaker Cloud

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T00:16:34.506Z

Reserved: 2026-05-01T22:46:21.641Z

Link: CVE-2026-43680

cve-icon Vulnrichment

Updated: 2026-05-13T00:15:41.970Z

cve-icon NVD

Status : Received

Published: 2026-05-12T23:16:17.870

Modified: 2026-05-12T23:16:17.870

Link: CVE-2026-43680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T03:00:12Z

Weaknesses