{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20757", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2026-03-01T23:45:09.766Z", "datePublished": "2026-03-03T02:40:45.702Z", "dateUpdated": "2026-03-03T15:43:33.823Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Command Centre Server", "vendor": "Gallagher", "versions": [{"lessThanOrEqual": "9.00", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "9.40.1976(MR1)", "status": "affected", "version": "9.40", "versionType": "custom"}, {"lessThan": "9.30.3382 (MR4)", "status": "affected", "version": "9.30", "versionType": "custom"}, {"lessThan": "9.20.3783 (MR6)", "status": "affected", "version": "9.20", "versionType": "custom"}, {"lessThan": "9.10.4647 (MR9)", "status": "affected", "version": "9.10", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Improper Locking</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;vulnerability (CWE-667) in</span><strong>&nbsp;</strong>Gallagher Morpho integration <span style=\"background-color: rgb(255, 255, 255);\">allows a privileged operator </span><span style=\"background-color: rgb(255, 255, 255);\">to cause a limited denial-of-service in the Command Centre Server</span><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n\n\n<p>This issue affects Command Centre Server: \n\n<span style=\"background-color: rgb(255, 255, 255);\">9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.</span>\n\n</p>"}], "value": "Improper Locking\u00a0vulnerability (CWE-667) in\u00a0Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server.\n\n\n\nThis issue affects Command Centre Server: \n\n9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-667", "description": "CWE-667 Improper Locking", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2026-03-03T02:40:45.702Z"}, "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-20757"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:38:55.859473Z", "id": "CVE-2026-20757", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:43:33.823Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20757", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:38:55.859473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:42:59.785Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.5, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gallagher", "product": "Command Centre Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "9.00"}, {"status": "affected", "version": "9.40", "lessThan": "9.40.1976(MR1)", "versionType": "custom"}, {"status": "affected", "version": "9.30", "lessThan": "9.30.3382 (MR4)", "versionType": "custom"}, {"status": "affected", "version": "9.20", "lessThan": "9.20.3783 (MR6)", "versionType": "custom"}, {"status": "affected", "version": "9.10", "lessThan": "9.10.4647 (MR9)", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-20757"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Locking\u00a0vulnerability (CWE-667) in\u00a0Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server.\n\n\n\nThis issue affects Command Centre Server: \n\n9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Improper Locking</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;vulnerability (CWE-667) in</span><strong>&nbsp;</strong>Gallagher Morpho integration <span style=\"background-color: rgb(255, 255, 255);\">allows a privileged operator </span><span style=\"background-color: rgb(255, 255, 255);\">to cause a limited denial-of-service in the Command Centre Server</span><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n\n\n<p>This issue affects Command Centre Server: \n\n<span style=\"background-color: rgb(255, 255, 255);\">9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior.</span>\n\n</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-667", "description": "CWE-667 Improper Locking"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2026-03-03T02:40:45.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20757", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:43:33.823Z", "dateReserved": "2026-03-01T23:45:09.766Z", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "datePublished": "2026-03-03T02:40:45.702Z", "assignerShortName": "Gallagher"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Locking\u00a0vulnerability (CWE-667) in\u00a0Gallagher Morpho integration allows a privileged operator to cause a limited denial-of-service in the Command Centre Server.\n\n\n\nThis issue affects Command Centre Server: \n\n9.40 prior to vEL9.40.1976(MR1), 9.30 prior to vEL9.30.3382 (MR4), 9.20 prior to vEL9.20.3783 (MR6), 9.10 prior to vEL9.10.4647 (MR9), all versions of 9.00 and prior."}], "id": "CVE-2026-20757", "lastModified": "2026-03-03T21:52:29.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 1.4, "source": "disclosures@gallagher.com", "type": "Secondary"}]}, "published": "2026-03-03T03:15:54.377", "references": [{"source": "disclosures@gallagher.com", "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-20757"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "disclosures@gallagher.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.00]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.40,9.40.1976(MR1))"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.30,9.30.3382 (MR4))"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.20,9.20.3783 (MR6))"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.10,9.10.4647 (MR9))"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "Command Centre Server", "source": "cna", "vendor": "Gallagher"}, "product": "command_centre", "vendor": "gallagher"}], "analysis": {"en": {"generated_at": "2026-04-16T14:10:35.764774+00:00", "value": {"mitigation_remediation": ["Install the latest Gallagher Command Centre Server update that contains the fix for the improper locking bug", "Revoke or restrict privileged operator accounts that could trigger the issue from executing actions that involve Morpho integration", "Continuously monitor system performance and logs for lock contention or repetitive denial\u2011of\u2011service symptoms to detect any remaining exploitation attempts"], "summary": {"action": "Apply Patch", "impact": "Limited Denial of Service"}, "threat_synthesis": {"affected_systems": "Gallagher Command Centre Server versions are affected: any release from 9.00 onward up to but not including vEL9.40.1976 (MR1), vEL9.30.3382 (MR4), vEL9.20.3783 (MR6), vEL9.10.4647 (MR9) and all earlier 9.40, 9.30, 9.20, 9.10, and 9.00 series. All versions older than vEL9.40.1976 are vulnerable.", "description_and_impact": "The vulnerability is an improper locking issue (CWE\u2011667) in the Gallagher Morpho integration. If exploited by a privileged operator, it allows the operator to trigger a lock that can cause a temporary interruption in service of the Command Centre Server. The impact is therefore a limited denial\u2011of\u2011service rather than a broad compromise of confidentiality or integrity.", "risk_and_exploitability": "The CVSS score of 2.5 indicates a low severity for this denial\u2011of\u2011service exploit, and the EPSS score of less than 1% suggests a very low probability of active exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, involving a privileged operator who has direct access to the Command Centre Server. There are no publicly known mitigations besides applying an update; the vendor does not provide a formal workaround."}}}}, "created": "2026-03-04T21:04:07.996370+00:00", "title": "Improper Locking in Gallagher Morpho Integration Causes Limited Denial-of-Service", "updated": "2026-04-16T14:15:28.812537+00:00", "vendors": ["gallagher", "gallagher$PRODUCT$command_centre"]}