Description
In Mimecast Incydr before 2.6.0, arbitrary file access can occur.
Published: 2026-06-05
Score: 4.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Mimecast Incydr prior to version 2.6.0 allows arbitrary file access, enabling a threat actor to read or modify any file accessible to the Incydr agent process. This weakness is identified as CWE-732, which involves incorrect permission allocation. The potential impact includes unauthorized disclosure or alteration of data stored on the host where the agent runs, compromising confidentiality and integrity. The CVSS score of 4.5 indicates a moderate severity that could be significant, especially in environments where sensitive documents are stored on endpoints.

Affected Systems

Mimecast Incydr, any version before 2.6.0. The only vendor‑product pair identified is Mimecast:Incydr. No additional specific sub‑product or version details are listed beyond the stated pre‑2.6.0 baseline.

Risk and Exploitability

The issue carries a moderate CVSS score of 4.5 and is not listed in CISA’s KEV catalog; its EPSS is not available. The attack vector is not explicitly documented in the description, so the vulnerability is likely exploitable via local privilege escalation or by compromising the Incydr agent, which runs on the target machine. If an adversary can execute code within the same context as the agent, they could read any file the user or system can access, but no documented remote exploitation path is indicated in the available data.

Generated by OpenCVE AI on June 5, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mimecast Incydr to version 2.6.0 or later.
  • Restrict file system permissions on the Incydr agent executable and configuration files to authorized users only, ensuring that only privileged processes can modify these assets.
  • Monitor file access activity related to the Incydr agent for anomalous read or write operations, and investigate any unauthorized attempts.

Generated by OpenCVE AI on June 5, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mimecast
Mimecast incydr
Vendors & Products Mimecast
Mimecast incydr

Fri, 05 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Access in Mimecast Incydr Before 2.6.0

Fri, 05 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description In Mimecast Incydr before 2.6.0, arbitrary file access can occur.
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mimecast Incydr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T18:23:44.310Z

Reserved: 2026-06-05T00:15:14.623Z

Link: CVE-2026-50590

cve-icon Vulnrichment

Updated: 2026-06-05T18:23:40.795Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T02:17:14.007

Modified: 2026-06-05T16:06:10.940

Link: CVE-2026-50590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:07:08Z

Weaknesses
  • CWE-732

    Incorrect Permission Assignment for Critical Resource