Description
A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to perform syncFile operations in the NodeAgent component without proper authorization, enabling unauthorized file access or manipulation. It is a software flaw identified as improper authorization, classified under CWE-266 and CWE-285. The vulnerability is remote, but the attack requires non‑trivial preparation and is considered difficult to exploit.

Affected Systems

o2oa systems up to version 10.0 are affected. The issue arises in the syncFile method of NodeAgent.java within the NodeAgent component, which is part of the overall o2oa platform.

Risk and Exploitability

The CVSS score is 6.3, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can initiate the exploit remotely, but the high complexity and difficulty reduce the likelihood of widespread exploitation. The vulnerability has been publicly disclosed and could be used if a patch is not applied.

Generated by OpenCVE AI on April 29, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade o2oa to a version later than 10.0 where the syncFile authorization issue is corrected.
  • Restrict remote access to the NodeAgent syncFile endpoint using network segmentation or firewall rules until a patch is applied.
  • Monitor system logs for abnormal syncFile requests and investigate any unauthorized file access attempts.

Generated by OpenCVE AI on April 29, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared O2oa
O2oa o2oa
Vendors & Products O2oa
O2oa o2oa

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title o2oa NodeAgent NodeAgent.java syncFile improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

O2oa O2oa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T12:19:21.182Z

Reserved: 2026-04-28T10:20:54.548Z

Link: CVE-2026-7292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:48.437

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:37Z

Weaknesses