CVE-2026-53905: CWE-863 Incorrect Authorization in MyComplianceOffice MCO
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
AI Analysis
Technical Summary
CVE-2026-53905 is an incorrect authorization vulnerability (CWE-863) in MyComplianceOffice MCO version 25.3.3.1. The affected endpoint does not properly enforce authorization checks, allowing authenticated users with low privileges to retrieve administrator access control structures. This exposure can reveal sensitive internal permission mappings and configuration details. Attempts to contact the vendor for remediation information were unsuccessful, and no official fix or patch is currently documented.
Potential Impact
An attacker with low-level authenticated access can retrieve sensitive administrator access control structures, which may disclose internal permission mappings and configuration details. This could aid further attacks or privilege escalation attempts. However, there is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available and vendor contact attempts were unsuccessful, organizations should consider restricting access to the affected endpoint and monitor for unusual access patterns from low-privileged users. Avoid granting unnecessary authenticated access until a fix is released.
CVE-2026-53905: CWE-863 Incorrect Authorization in MyComplianceOffice MCO
Description
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVSS v4.0
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53905 is an incorrect authorization vulnerability (CWE-863) in MyComplianceOffice MCO version 25.3.3.1. The affected endpoint does not properly enforce authorization checks, allowing authenticated users with low privileges to retrieve administrator access control structures. This exposure can reveal sensitive internal permission mappings and configuration details. Attempts to contact the vendor for remediation information were unsuccessful, and no official fix or patch is currently documented.
Potential Impact
An attacker with low-level authenticated access can retrieve sensitive administrator access control structures, which may disclose internal permission mappings and configuration details. This could aid further attacks or privilege escalation attempts. However, there is no evidence of active exploitation in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available and vendor contact attempts were unsuccessful, organizations should consider restricting access to the affected endpoint and monitor for unusual access patterns from low-privileged users. Avoid granting unnecessary authenticated access until a fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-06-11T07:44:52.179Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a450d6a27e9c797197b958f
Added to database: 07/01/2026, 12:51:54 UTC
Last enriched: 07/01/2026, 13:07:17 UTC
Last updated: 07/02/2026, 00:14:45 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.