CVE-2026-8100 - Vulnerability Details

Description

Impact

A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place.
Resolution
The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.

Published: 2026-06-18

Score: 8.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A defect allows a malicious actor to bypass standard access controls by crafting URL‑encoded paths that circumvent request validation, enabling access to API endpoints reserved for higher‑permission roles. The flaw is rooted in improper path normalization (CWE‑23) and can materialize when certain request patterns trigger the sub‑optimal processing logic. The resulting privilege escalation can expose sensitive data and services within the environment, but it is limited to scenarios where the attack pattern can be executed and requires the attacker to be authenticated to the system.

Affected Systems

Progress Chef’s Chef360 product is affected. The published fix begins with version 1.7.1; deployments using earlier releases are potentially vulnerable until the update is applied.

Risk and Exploitability

The CVSS score of 8.6 classifies the vulnerability as high severity. No EPSS data is available, and it is not listed in the CISA KEV catalog, so the current likelihood of exploitation is unknown but the flaw can be triggered over the network by an authenticated user leveraging the URL‑encoded path traversal. Patch availability mitigates the risk once the latest version is installed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Progress Chef

Chef360

unaffected

Version	Status	Constraints
`0`	affected	< 1.7.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Chef360 update (version 1.7.1 or later) to enforce proper request validation and path normalization before authorization checks.
If a custom proxy or API gateway is in place, verify that it normalizes paths to prevent traversal before forwarding requests to Chef360.
Perform testing to confirm that the access controls for privileged API endpoints are enforced after the update.

Generated by OpenCVE AI on June 18, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://community.progress.com/s/article/Authentication-Bypass-via-URL-Encoded-Path-Traversal

History

Thu, 18 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		Impact A security issue has been identified in Chef 360 that could allow unauthorized access to protected API endpoints under specific conditions. This issue is due to improper handling of URL-encoded paths during request processing. In certain scenarios, an authenticated request may bypass standard access controls gaining additional privileges, potentially allowing access to API endpoints that are intended to be restricted to higher-permissioned roles. The impact is limited to environments where the affected request patterns can be triggered and depends on specific deployment configuration and access controls in place. Resolution The issue has been addressed through product updates that improve request validation and enforce strict path normalization before authorization checks. Customers are advised to update to the latest available version containing the fix, version 1.7.1 or later.
Weaknesses		CWE-23
References		https://community.progress.com/s/article/Authentication-Bypass-via-URL-Encoded-Path-Traversal
Metrics		cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/RE:M'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published: 2026-06-18T21:18:27.689Z

Updated: 2026-06-18T21:18:27.689Z

Reserved: 2026-05-07T13:58:59.166Z

Link: CVE-2026-8100

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses

CWE-23
Relative Path Traversal

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object