CVE-2026-45776: CWE-284: Improper Access Control in ubccr xdmod
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
AI Analysis
Technical Summary
CVE-2026-45776 is an improper access control vulnerability (CWE-284) in Open XDMoD prior to version 11.0.3. The issue arises from flawed access control logic that permits an attacker to submit a crafted HTTPS POST request to set a session variable used for authorization decisions. When the optional Job Performance (SUPReMM) module is installed, this can lead to unauthorized access to other users' compute job efficiency metrics. The vulnerability affects all Open XDMoD deployments before 11.0.3 that include this module. The vendor released a patch in version 11.0.3 on 2026-05-12 to address this issue.
Potential Impact
An attacker with network access can bypass intended data access restrictions and view sensitive compute job efficiency metrics belonging to other users. This exposure compromises confidentiality of HPC metrics data. There is no indication of privilege escalation beyond the described data access bypass. No known exploitation in the wild has been reported.
Mitigation Recommendations
A patch fixing this vulnerability is available in Open XDMoD version 11.0.3, released on 2026-05-12. Users should upgrade to this version to remediate the issue. As a workaround, the patch can be applied manually if immediate upgrade is not feasible. No other mitigation guidance is provided or required.
CVE-2026-45776: CWE-284: Improper Access Control in ubccr xdmod
Description
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
CVSS v4.0
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45776 is an improper access control vulnerability (CWE-284) in Open XDMoD prior to version 11.0.3. The issue arises from flawed access control logic that permits an attacker to submit a crafted HTTPS POST request to set a session variable used for authorization decisions. When the optional Job Performance (SUPReMM) module is installed, this can lead to unauthorized access to other users' compute job efficiency metrics. The vulnerability affects all Open XDMoD deployments before 11.0.3 that include this module. The vendor released a patch in version 11.0.3 on 2026-05-12 to address this issue.
Potential Impact
An attacker with network access can bypass intended data access restrictions and view sensitive compute job efficiency metrics belonging to other users. This exposure compromises confidentiality of HPC metrics data. There is no indication of privilege escalation beyond the described data access bypass. No known exploitation in the wild has been reported.
Mitigation Recommendations
A patch fixing this vulnerability is available in Open XDMoD version 11.0.3, released on 2026-05-12. Users should upgrade to this version to remediate the issue. As a workaround, the patch can be applied manually if immediate upgrade is not feasible. No other mitigation guidance is provided or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T07:45:21.251Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a232492e29bf47b50b16f59
Added to database: 6/5/2026, 7:33:38 PM
Last enriched: 6/5/2026, 7:49:13 PM
Last updated: 6/6/2026, 4:22:20 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.