CVE-2026-26099 is a vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Owl opds version 2.2.0.4. The issue arises because the software improperly handles the search paths for configuration files, allowing an attacker to influence or manipulate these paths via specially crafted network requests. This manipulation can cause the application to load malicious or unintended configuration files, potentially leading to unauthorized code execution or configuration tampering. The vulnerability requires the attacker to have high privileges on the local system (AV:L, PR:H) but does not require user interaction (UI:N) or authentication tokens beyond those privileges. The CVSS 4.0 vector indicates low attack complexity and no need for user interaction, but the scope is limited to the local system. The vulnerability impacts confidentiality, integrity, and availability at a high level due to the potential for executing arbitrary code or altering critical configurations. No patches or known exploits are currently available, but the risk remains significant given the nature of the flaw. The vulnerability was published on February 20, 2026, and assigned by Nozomi. Owl opds is used in environments where configuration integrity is critical, making this vulnerability a serious concern for affected deployments.

The vulnerability poses a significant risk to organizations using Owl opds 2.2.0.4, especially those relying on the software for critical configuration management. An attacker with elevated local privileges can exploit this flaw to load malicious configuration files, potentially leading to arbitrary code execution, privilege escalation, or disruption of service. This can compromise the confidentiality of sensitive data, integrity of system configurations, and availability of services dependent on Owl opds. The attack vector being local limits remote exploitation but does not eliminate risk in environments where multiple users have elevated access or where attackers have gained initial footholds. The absence of known exploits suggests limited current active threat, but the high CVSS score indicates that successful exploitation would have severe consequences. Organizations in sectors such as critical infrastructure, government, and enterprises with complex configuration management are particularly vulnerable.

To mitigate CVE-2026-26099, organizations should immediately audit and restrict access to Owl opds configuration files and their search paths. Implement strict file system permissions to prevent unauthorized modification or insertion of malicious configuration files. Employ application whitelisting and integrity monitoring to detect unauthorized changes to configuration paths or files. Limit the number of users with high privileges on systems running Owl opds and enforce the principle of least privilege. Network segmentation and isolation of systems running Owl opds can reduce the risk of lateral movement by attackers with local access. Monitor logs and network traffic for unusual configuration requests or access patterns indicative of exploitation attempts. Since no patches are currently available, consider deploying compensating controls such as containerization or sandboxing of Owl opds processes to limit impact. Stay informed on vendor updates for patches and apply them promptly once released.