CVE-2026-53905
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
The vulnerability in MCO is due to improper authorization enforcement in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated low-privileged user can retrieve administrator access control structures, potentially exposing sensitive permission mappings and internal configuration details.
Risk Assessment
The risk involves potential privilege escalation through unauthorized access to administrator ACL structures, which may lead to leakage of confidential configuration data and permission mappings.
Recommendation
It is recommended to immediately apply security patches from the vendor or temporarily restrict access to the endpoint via firewall rules and request filtering.
Original NVD description (English source)
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

