Description
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
Published: 2026-06-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Peplink InControl version 2, up to 2.14.2, has a flaw that permits an attacker to inject a semicolon into certain /rest/o/{orgId} API calls. This bypasses the built‑in access‑control checks, allowing unauthorized users to reach endpoints that should be restricted by organization context. The weakness is an example of CWE‑551 – Improperly Controlled Access to a Resource. If an attacker succeeds they could read or alter configuration or operational data belonging to other organizations, compromising confidentiality and integrity of the system.

Affected Systems

The vulnerability affects Peplink InControl 2, with all releases from 2.0 up to 2.14.2 inclusive. The issue is present in all builds released before 2026‑06‑03 and has been patched in later releases.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. While no EPSS score is available, the lack of KEV listing does not diminish the potential impact if the software is deployed in an environment where unauthorized actors could craft API requests. The likely attack vector is through the web API: an authenticated or unauthenticated user can append a semicolon to the request path or query and force the server to treat the string as part of the organization identifier, effectively bypassing the ACL logic.

Generated by OpenCVE AI on June 26, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Peplink InControl release (2.14.3 or later) to remove the semicolon injection flaw
  • Configure network segmentation and firewall rules to limit exposure of the /rest/o APIs to trusted hosts only
  • Audit API logs for unexpected /rest/o calls and verify that authorization checks correctly enforce organization boundaries

Generated by OpenCVE AI on June 26, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Title Access Control Bypass via Semicolon Injection in Peplink InControl 2

Fri, 26 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
Weaknesses CWE-551
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T13:32:31.453Z

Reserved: 2026-06-26T12:20:51.599Z

Link: CVE-2026-57920

cve-icon Vulnrichment

Updated: 2026-06-26T13:32:19.714Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T13:30:16Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization