CVE-2026-26289

HIGH

Subnet Solutions PowerSYSTEM Center Incorrect Authorization

Title source: cna

Description

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

References (2)

Core 2

Core References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-02

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json

View Writeup ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0014

EPSS Percentile 3.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (3)

Subnet Solutions/PowerSYSTEM Center 2020 5.8.x - 5.28.x

Subnet Solutions/PowerSYSTEM Center 2024 6.0.x - 6.1.x

Subnet Solutions/PowerSYSTEM Center 2026 7.0.x

Published May 12, 2026

Tracked Since May 13, 2026