This vulnerability (CVE-2026-26289) affects the PowerSYSTEM Center 2020 product from Subnet Solutions, specifically version 5.8.x. The issue is an incorrect authorization (CWE-863) in the REST API endpoint responsible for exporting device account information. Authenticated users with limited privileges can exploit this flaw to retrieve sensitive data normally accessible only to administrators. The CVSS 4.0 base score is 8.4, indicating a high severity with network attack vector (adjacent), low attack complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. No official fix or patch has been documented as of the publication date.

An attacker with valid but limited credentials can access sensitive information through the device account export API endpoint that should be restricted to administrators. This exposure could lead to unauthorized disclosure of sensitive data, potentially aiding further attacks or privilege escalation. However, there is no evidence of active exploitation in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, organizations should consider restricting access to the REST API endpoint to trusted users only and monitor for unusual access patterns. Avoid granting unnecessary permissions to users and review API access controls carefully.