CVE-2026-26053 (GCVE-0-2026-26053)

Vulnerability from cvelistv5 – Published: 2026-07-07 03:48 – Updated: 2026-07-07 13:37
VLAI
Summary
An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally be authorized to perform. Version of Command Centre affected: 9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-266 - Incorrect privilege assignment
Assigner
Impacted products
Vendor Product Version
Gallagher Command Centre Server Affected: 9.10 (custom)
Affected: 9.50 , < vEL9.50.1587(MR1) (custom)
Affected: 9.40 , < vEL9.40.3130(MR3) (custom)
Affected: 9.30 , < vEL9.30.3983(MR5) (custom)
Affected: 9.20 , < vEL9.20.4349(MR7) (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26053",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-07T13:37:41.225293Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-07T13:37:52.035Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Command Centre Server",
          "vendor": "Gallagher",
          "versions": [
            {
              "status": "affected",
              "version": "9.10",
              "versionType": "custom"
            },
            {
              "lessThan": "vEL9.50.1587(MR1)",
              "status": "affected",
              "version": "9.50",
              "versionType": "custom"
            },
            {
              "lessThan": "vEL9.40.3130(MR3)",
              "status": "affected",
              "version": "9.40",
              "versionType": "custom"
            },
            {
              "lessThan": "vEL9.30.3983(MR5)",
              "status": "affected",
              "version": "9.30",
              "versionType": "custom"
            },
            {
              "lessThan": "vEL9.20.4349(MR7)",
              "status": "affected",
              "version": "9.20",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An\u0026nbsp;Incorrect Privilege Assignment (CWE-266)\u0026nbsp;vulnerability in\u0026nbsp;the Command Centre Server\u0026nbsp;allows an\u0026nbsp;authenticated operator with limited privileges\u0026nbsp;to perform some operations that they would not normally be authorized to perform.\u0026nbsp;\u003cdiv\u003eVersion of Command Centre affected:\u0026nbsp;9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.\u0026nbsp;\u003c/div\u003e"
            }
          ],
          "value": "An\u00a0Incorrect Privilege Assignment (CWE-266)\u00a0vulnerability in\u00a0the Command Centre Server\u00a0allows an\u00a0authenticated operator with limited privileges\u00a0to perform some operations that they would not normally be authorized to perform.\u00a0Version of Command Centre affected:\u00a09.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266 Incorrect privilege assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T03:48:47.708Z",
        "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
        "shortName": "Gallagher"
      },
      "references": [
        {
          "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-26053"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
    "assignerShortName": "Gallagher",
    "cveId": "CVE-2026-26053",
    "datePublished": "2026-07-07T03:48:47.708Z",
    "dateReserved": "2026-03-01T23:45:09.665Z",
    "dateUpdated": "2026-07-07T13:37:52.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-26053",
      "date": "2026-07-11",
      "epss": "0.00153",
      "percentile": "0.04846"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26053\",\"sourceIdentifier\":\"disclosures@gallagher.com\",\"published\":\"2026-07-07T05:16:50.117\",\"lastModified\":\"2026-07-07T14:16:29.567\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An\u00a0Incorrect Privilege Assignment (CWE-266)\u00a0vulnerability in\u00a0the Command Centre Server\u00a0allows an\u00a0authenticated operator with limited privileges\u00a0to perform some operations that they would not normally be authorized to perform.\u00a0Version of Command Centre affected:\u00a09.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.\"}],\"affected\":[{\"source\":\"disclosures@gallagher.com\",\"affectedData\":[{\"vendor\":\"Gallagher\",\"product\":\"Command Centre Server\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"9.10\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"9.50\",\"lessThan\":\"vEL9.50.1587(MR1)\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"9.40\",\"lessThan\":\"vEL9.40.3130(MR3)\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"9.30\",\"lessThan\":\"vEL9.30.3983(MR5)\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"9.20\",\"lessThan\":\"vEL9.20.4349(MR7)\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-07T13:37:41.225293Z\",\"id\":\"CVE-2026-26053\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"disclosures@gallagher.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-266\"}]}],\"references\":[{\"url\":\"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-26053\",\"source\":\"disclosures@gallagher.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26053\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-07T13:37:41.225293Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-07T13:37:47.694Z\"}}], \"cna\": {\"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Gallagher\", \"product\": \"Command Centre Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.50\", \"lessThan\": \"vEL9.50.1587(MR1)\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.40\", \"lessThan\": \"vEL9.40.3130(MR3)\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.30\", \"lessThan\": \"vEL9.30.3983(MR5)\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.20\", \"lessThan\": \"vEL9.20.4349(MR7)\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-26053\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An\\u00a0Incorrect Privilege Assignment (CWE-266)\\u00a0vulnerability in\\u00a0the Command Centre Server\\u00a0allows an\\u00a0authenticated operator with limited privileges\\u00a0to perform some operations that they would not normally be authorized to perform.\\u00a0Version of Command Centre affected:\\u00a09.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An\u0026nbsp;Incorrect Privilege Assignment (CWE-266)\u0026nbsp;vulnerability in\u0026nbsp;the Command Centre Server\u0026nbsp;allows an\u0026nbsp;authenticated operator with limited privileges\u0026nbsp;to perform some operations that they would not normally be authorized to perform.\u0026nbsp;\u003cdiv\u003eVersion of Command Centre affected:\u0026nbsp;9.50 prior to vEL9.50.1587(MR1), 9.40 prior to vEL9.40.3130(MR3), 9.30 prior to vEL9.30.3983(MR5), 9.20 prior to vEL9.20.4349(MR7), all versions of 9.10.\u0026nbsp;\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-266\", \"description\": \"CWE-266 Incorrect privilege assignment\"}]}], \"providerMetadata\": {\"orgId\": \"0c426f27-3ee1-4eff-be88-288d5a1822bc\", \"shortName\": \"Gallagher\", \"dateUpdated\": \"2026-07-07T03:48:47.708Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26053\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-07T13:37:52.035Z\", \"dateReserved\": \"2026-03-01T23:45:09.665Z\", \"assignerOrgId\": \"0c426f27-3ee1-4eff-be88-288d5a1822bc\", \"datePublished\": \"2026-07-07T03:48:47.708Z\", \"assignerShortName\": \"Gallagher\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…