CVE-2026-53902
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
A vulnerability in MCO allows an authenticated user to modify group membership without proper authorization checks, leading to privilege escalation. An attacker can add themselves to arbitrary groups by providing a valid group ID, which can be obtained from other application functions or guessed via brute-force.
Risk Assessment
The risk involves potential unauthorized privilege escalation, allowing an attacker to access sensitive data or system functions, compromising confidentiality and integrity.
Recommendation
Immediately update MCO to the latest available version and apply authorization fixes for the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. Until then, restrict access to this endpoint to trusted users only.
Original NVD description (English source)
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

